cvelistv5 - cve-2020-9481

CVE-2020-9481 (GCVE-0-2020-9481)

Vulnerability from cvelistv5

Published

2020-04-27 21:11

Modified

2024-08-04 10:26

Severity ?

CWE

Other

Summary

Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack.

References

URL

	Vendor	Product	Version
	Apache	ATS	Version: 6.0.0 to 6.2.3 Version: 7.0.0 to 7.1.9 Version: 8.0.0 to 8.0.6

var-202004-1820

Vulnerability from variot

Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack. Apache ATS Exists in a resource exhaustion vulnerability.Service operation interruption (DoS) It may be put into a state. Apache Traffic Server (ATS) is a set of scalable HTTP proxy and cache servers for the Apache Software Foundation. An attacker can use this vulnerability to cause a denial of service. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Debian Security Advisory DSA-4672-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 01, 2020 https://www.debian.org/security/faq

Package : trafficserver CVE ID : CVE-2019-17559 CVE-2019-17565 CVE-2020-1944 CVE-2020-9481

Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service or request smuggling attacks.

For the stable distribution (buster), these problems have been fixed in version 8.0.2+ds-1+deb10u2.

We recommend that you upgrade your trafficserver packages.

For the detailed security status of trafficserver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/trafficserver

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl6sXUoACgkQEMKTtsN8 TjYFJA//VVLh3ighaQPMj9HhwDwsOrn0GSj8UkRc/nYuEQBdfKf5nE7JJio//U65 NHCGih9o9sfnZ9q+bxryED+RiKMOyUvxqMOqRhXItekVkXaRNWcXWqbGW+2MTL1H yOSaq9oMMv04/xzUcWId3T3WdrZk9vlehGmj7Eo0W2eH65itXL+RaKAJuZL+Jtrl XsT380xATHKyyuiN2OaIgWwFGSpzQ1cwXnvQzYOk1LXlTqFA9UhBWZJHsNAwXlqQ ANURjLVa5Z+LwmkpAgpksL+bSMinX+XKKNsc82e0NJkDFuk/VhQle3AYhERC23eC Nar2nXHMC9yvH/ym8MNVYa48PTWD3xYalncAOyMiw7b4tts4uWkAPpnhWxY2g9p5 0xIlZvlDFzW50DsneNo1cHscsg4hlYDlzo2ucYBZHlFRFVj+tVU7t/5E+PctKifi ls8jf7TrDqLJfyyVxH9k+qMpo2KbOWk/PgCfaOsWbTcEVlpUUOCfTx1+rExTVNVs cmkrA3GYijHNqLhs2Lsrv3TnSOviSXdewnN1uGlfhSEPL9LndKOaxWr6w9P4HCVF Qvt8p9lZCQM4zs9FvSrvbb6y9B6P5/BzQKwTlJ/ziuUQeLz3Cn+skt9sRFP0u2Un NGefeHnatRuux9EFVnEqHRsG2+/HbpXiv/Hfdh0M6PNeW23PqLI= =0mTC -----END PGP SIGNATURE-----

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202004-1820",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "traffic server",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "apache",
        "version": "8.0.0"
      },
      {
        "model": "traffic server",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "apache",
        "version": "8.0.6"
      },
      {
        "model": "traffic server",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "apache",
        "version": "7.0.0"
      },
      {
        "model": "traffic server",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "apache",
        "version": "6.2.3"
      },
      {
        "model": "traffic server",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "apache",
        "version": "6.0.0"
      },
      {
        "model": "linux",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "debian",
        "version": "10.0"
      },
      {
        "model": "traffic server",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "apache",
        "version": "7.1.9"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "apache",
        "version": "6.0.0 \u304b\u3089 6.2.3"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "apache",
        "version": "7.0.0 \u304b\u3089 7.1.9"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "apache",
        "version": "8.0.0 \u304b\u3089 8.0.6"
      },
      {
        "model": "gnu/linux",
        "scope": null,
        "trust": 0.8,
        "vendor": "debian",
        "version": null
      },
      {
        "model": "traffic server",
        "scope": "gte",
        "trust": 0.6,
        "vendor": "apache",
        "version": "6.0.0,\u003c=6.2.3"
      },
      {
        "model": "traffic server",
        "scope": "gte",
        "trust": 0.6,
        "vendor": "apache",
        "version": "7.0.0,\u003c=7.1.9"
      },
      {
        "model": "traffic server",
        "scope": "gte",
        "trust": 0.6,
        "vendor": "apache",
        "version": "8.0.0,\u003c=8.0.6"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "6.0.0"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "6.0.3"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "6.1.0"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "6.1.1"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "6.2.0"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "6.2.1"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "6.2.2"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "6.2.3"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "7.0.0"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "7.1.0"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "7.1.1"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "7.1.2"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "7.1.3"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "7.1.4"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "7.1.5"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "7.1.6"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "7.1.7"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "7.1.8"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "7.1.9"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "8.0.0"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "8.0.1"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "8.0.2"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "8.0.3"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "8.0.4"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "8.0.5"
      },
      {
        "model": "traffic server",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "apache",
        "version": "8.0.6"
      },
      {
        "model": "linux",
        "scope": "eq",
        "trust": 0.1,
        "vendor": "debian",
        "version": "10"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-28765"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-9481"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004901"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-9481"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/a:apache:traffic_server",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:debian:debian_linux",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004901"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Debian",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "168822"
      }
    ],
    "trust": 0.1
  },
  "cve": "CVE-2020-9481",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "id": "CVE-2020-9481",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 1.1,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 5.0,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-004901",
            "impactScore": null,
            "integrityImpact": "None",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.8,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2020-28765",
            "impactScore": 6.9,
            "integrityImpact": "NONE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 3.9,
            "id": "CVE-2020-9481",
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 7.5,
            "baseSeverity": "High",
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-004901",
            "impactScore": null,
            "integrityImpact": "None",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2020-9481",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "JVNDB-2020-004901",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2020-28765",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202004-2226",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "VULMON",
            "id": "CVE-2020-9481",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-28765"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-9481"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004901"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-2226"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-9481"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack. Apache ATS Exists in a resource exhaustion vulnerability.Service operation interruption (DoS) It may be put into a state. Apache Traffic Server (ATS) is a set of scalable HTTP proxy and cache servers for the Apache Software Foundation. An attacker can use this vulnerability to cause a denial of service. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4672-1                   security@debian.org\nhttps://www.debian.org/security/                       Moritz Muehlenhoff\nMay 01, 2020                          https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage        : trafficserver\nCVE ID         : CVE-2019-17559 CVE-2019-17565 CVE-2020-1944 CVE-2020-9481\n\nSeveral vulnerabilities were discovered in Apache Traffic Server, a\nreverse and forward proxy server, which could result in denial of service\nor request smuggling attacks. \n\nFor the stable distribution (buster), these problems have been fixed in\nversion 8.0.2+ds-1+deb10u2. \n\nWe recommend that you upgrade your trafficserver packages. \n\nFor the detailed security status of trafficserver please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/trafficserver\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl6sXUoACgkQEMKTtsN8\nTjYFJA//VVLh3ighaQPMj9HhwDwsOrn0GSj8UkRc/nYuEQBdfKf5nE7JJio//U65\nNHCGih9o9sfnZ9q+bxryED+RiKMOyUvxqMOqRhXItekVkXaRNWcXWqbGW+2MTL1H\nyOSaq9oMMv04/xzUcWId3T3WdrZk9vlehGmj7Eo0W2eH65itXL+RaKAJuZL+Jtrl\nXsT380xATHKyyuiN2OaIgWwFGSpzQ1cwXnvQzYOk1LXlTqFA9UhBWZJHsNAwXlqQ\nANURjLVa5Z+LwmkpAgpksL+bSMinX+XKKNsc82e0NJkDFuk/VhQle3AYhERC23eC\nNar2nXHMC9yvH/ym8MNVYa48PTWD3xYalncAOyMiw7b4tts4uWkAPpnhWxY2g9p5\n0xIlZvlDFzW50DsneNo1cHscsg4hlYDlzo2ucYBZHlFRFVj+tVU7t/5E+PctKifi\nls8jf7TrDqLJfyyVxH9k+qMpo2KbOWk/PgCfaOsWbTcEVlpUUOCfTx1+rExTVNVs\ncmkrA3GYijHNqLhs2Lsrv3TnSOviSXdewnN1uGlfhSEPL9LndKOaxWr6w9P4HCVF\nQvt8p9lZCQM4zs9FvSrvbb6y9B6P5/BzQKwTlJ/ziuUQeLz3Cn+skt9sRFP0u2Un\nNGefeHnatRuux9EFVnEqHRsG2+/HbpXiv/Hfdh0M6PNeW23PqLI=\n=0mTC\n-----END PGP SIGNATURE-----\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-9481"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004901"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-28765"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-9481"
      },
      {
        "db": "PACKETSTORM",
        "id": "168822"
      }
    ],
    "trust": 2.34
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2020-9481",
        "trust": 3.2
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004901",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-28765",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2020.1566",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-2226",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-9481",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "168822",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-28765"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-9481"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004901"
      },
      {
        "db": "PACKETSTORM",
        "id": "168822"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-2226"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-9481"
      }
    ]
  },
  "id": "VAR-202004-1820",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-28765"
      }
    ],
    "trust": 0.06
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-28765"
      }
    ]
  },
  "last_update_date": "2024-11-23T21:51:37.843000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "[ANNOUNCE] Apache Traffic Server is vulnerable to a HTTP/2 slow read attack (revised URL to CVE)",
        "trust": 0.8,
        "url": "https://lists.apache.org/thread.html/r21ddaf0a4a973f3c43c7ff399ae50d2f858f13f87bd6a9551c5cf6db%40%3Cannounce.trafficserver.apache.org%3E"
      },
      {
        "title": "DSA-4672",
        "trust": 0.8,
        "url": "https://www.debian.org/security/2020/dsa-4672"
      },
      {
        "title": "Patch for Apache Traffic Server resource management error vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/217791"
      },
      {
        "title": "Apache Traffic Server Remediation of resource management error vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=117728"
      },
      {
        "title": "Debian Security Advisories: DSA-4672-1 trafficserver -- security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=068031a0d7824f96d2ef05460c32232d"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-28765"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-9481"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004901"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-2226"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-400",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004901"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-9481"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9481"
      },
      {
        "trust": 1.7,
        "url": "https://lists.apache.org/thread.html/r21ddaf0a4a973f3c43c7ff399ae50d2f858f13f87bd6a9551c5cf6db%40%3cannounce.trafficserver.apache.org%3e"
      },
      {
        "trust": 1.7,
        "url": "https://www.debian.org/security/2020/dsa-4672"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9481"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2020.1566/"
      },
      {
        "trust": 0.6,
        "url": "https://vigilance.fr/vulnerability/apache-traffic-server-overload-via-http-2-slow-read-32173"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/400.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/180966"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-1944"
      },
      {
        "trust": 0.1,
        "url": "https://www.debian.org/security/faq"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-17565"
      },
      {
        "trust": 0.1,
        "url": "https://www.debian.org/security/"
      },
      {
        "trust": 0.1,
        "url": "https://security-tracker.debian.org/tracker/trafficserver"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-17559"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-28765"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-9481"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004901"
      },
      {
        "db": "PACKETSTORM",
        "id": "168822"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-2226"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-9481"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-28765"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-9481"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004901"
      },
      {
        "db": "PACKETSTORM",
        "id": "168822"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-2226"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-9481"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-05-18T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2020-28765"
      },
      {
        "date": "2020-04-27T00:00:00",
        "db": "VULMON",
        "id": "CVE-2020-9481"
      },
      {
        "date": "2020-06-01T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-004901"
      },
      {
        "date": "2020-05-28T19:12:00",
        "db": "PACKETSTORM",
        "id": "168822"
      },
      {
        "date": "2020-04-27T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202004-2226"
      },
      {
        "date": "2020-04-27T22:15:12.457000",
        "db": "NVD",
        "id": "CVE-2020-9481"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-05-18T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2020-28765"
      },
      {
        "date": "2020-05-07T00:00:00",
        "db": "VULMON",
        "id": "CVE-2020-9481"
      },
      {
        "date": "2020-06-01T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-004901"
      },
      {
        "date": "2020-05-06T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202004-2226"
      },
      {
        "date": "2024-11-21T05:40:44.080000",
        "db": "NVD",
        "id": "CVE-2020-9481"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-2226"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Apache Traffic Server resource management error vulnerability",
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-28765"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-2226"
      }
    ],
    "trust": 1.2
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "resource management error",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-2226"
      }
    ],
    "trust": 0.6
  }
}

cnvd-2020-28765

Vulnerability from cnvd

Title

Apache Traffic Server资源管理错误漏洞

Description

Apache Traffic Server（ATS）是美国阿帕奇（Apache）软件基金会的一套可扩展的HTTP代理和缓存服务器。 Apache ATS 6.0.0版本至6.2.3版本、7.0.0版本至7.1.9版本和8.0.0版本至8.0.6版本中存在安全漏洞。攻击者可利用该漏洞造成拒绝服务。

Severity

高

Patch Name

Apache Traffic Server资源管理错误漏洞的补丁

Patch Description

Apache Traffic Server（ATS）是美国阿帕奇（Apache）软件基金会的一套可扩展的HTTP代理和缓存服务器。 Apache ATS 6.0.0版本至6.2.3版本、7.0.0版本至7.1.9版本和8.0.0版本至8.0.6版本中存在安全漏洞。攻击者可利用该漏洞造成拒绝服务。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接：

https://lists.apache.org/thread.html/r21ddaf0a4a973f3c43c7ff399ae50d2f858f13f87bd6a9551c5cf6db%40%3Cannounce.trafficserver.apache.org%3E

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-9481

Impacted products

Name
['Apache Traffic Server >=6.0.0，<=6.2.3', 'Apache Traffic Server >=7.0.0，<=7.1.9', 'Apache Traffic Server >=8.0.0，<=8.0.6']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-9481"
    }
  },
  "description": "Apache Traffic Server\uff08ATS\uff09\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u53ef\u6269\u5c55\u7684HTTP\u4ee3\u7406\u548c\u7f13\u5b58\u670d\u52a1\u5668\u3002\n\nApache ATS 6.0.0\u7248\u672c\u81f36.2.3\u7248\u672c\u30017.0.0\u7248\u672c\u81f37.1.9\u7248\u672c\u548c8.0.0\u7248\u672c\u81f38.0.6\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\n\r\nhttps://lists.apache.org/thread.html/r21ddaf0a4a973f3c43c7ff399ae50d2f858f13f87bd6a9551c5cf6db%40%3Cannounce.trafficserver.apache.org%3E",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-28765",
  "openTime": "2020-05-18",
  "patchDescription": "Apache Traffic Server\uff08ATS\uff09\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u53ef\u6269\u5c55\u7684HTTP\u4ee3\u7406\u548c\u7f13\u5b58\u670d\u52a1\u5668\u3002\r\n\r\nApache ATS 6.0.0\u7248\u672c\u81f36.2.3\u7248\u672c\u30017.0.0\u7248\u672c\u81f37.1.9\u7248\u672c\u548c8.0.0\u7248\u672c\u81f38.0.6\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Traffic Server\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Traffic Server \u003e=6.0.0\uff0c\u003c=6.2.3",
      "Apache Traffic Server \u003e=7.0.0\uff0c\u003c=7.1.9",
      "Apache Traffic Server \u003e=8.0.0\uff0c\u003c=8.0.6"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-9481",
  "serverity": "\u9ad8",
  "submitTime": "2020-04-28",
  "title": "Apache Traffic Server\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e"
}

gsd-2020-9481

Vulnerability from gsd

Modified

2023-12-13 01:21

Details

Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack.

Aliases

CVE-2020-9481

Aliases

CVE-2020-9481

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-9481",
    "description": "Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack.",
    "id": "GSD-2020-9481",
    "references": [
      "https://www.debian.org/security/2020/dsa-4672"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-9481"
      ],
      "details": "Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack.",
      "id": "GSD-2020-9481",
      "modified": "2023-12-13T01:21:52.531293Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2020-9481",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "ATS",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "6.0.0 to 6.2.3"
                        },
                        {
                          "version_value": "7.0.0 to 7.1.9"
                        },
                        {
                          "version_value": "8.0.0 to 8.0.6"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Other"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread.html/r21ddaf0a4a973f3c43c7ff399ae50d2f858f13f87bd6a9551c5cf6db%40%3Cannounce.trafficserver.apache.org%3E",
            "refsource": "CONFIRM",
            "url": "https://lists.apache.org/thread.html/r21ddaf0a4a973f3c43c7ff399ae50d2f858f13f87bd6a9551c5cf6db%40%3Cannounce.trafficserver.apache.org%3E"
          },
          {
            "name": "DSA-4672",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2020/dsa-4672"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "6.2.3",
                "versionStartIncluding": "6.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "7.1.9",
                "versionStartIncluding": "7.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "8.0.6",
                "versionStartIncluding": "8.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2020-9481"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-400"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread.html/r21ddaf0a4a973f3c43c7ff399ae50d2f858f13f87bd6a9551c5cf6db%40%3Cannounce.trafficserver.apache.org%3E",
              "refsource": "CONFIRM",
              "tags": [
                "Mailing List",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/r21ddaf0a4a973f3c43c7ff399ae50d2f858f13f87bd6a9551c5cf6db%40%3Cannounce.trafficserver.apache.org%3E"
            },
            {
              "name": "DSA-4672",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.debian.org/security/2020/dsa-4672"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2020-08-18T15:05Z",
      "publishedDate": "2020-04-27T22:15Z"
    }
  }
}

fkie_cve-2020-9481

Vulnerability from fkie_nvd

Published

2020-04-27 22:15

Modified

2024-11-21 05:40

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack.

References

URL	Tags
security@apache.org	https://lists.apache.org/thread.html/r21ddaf0a4a973f3c43c7ff399ae50d2f858f13f87bd6a9551c5cf6db%40%3Cannounce.trafficserver.apache.org%3E	Mailing List, Patch, Third Party Advisory
security@apache.org	https://www.debian.org/security/2020/dsa-4672	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r21ddaf0a4a973f3c43c7ff399ae50d2f858f13f87bd6a9551c5cf6db%40%3Cannounce.trafficserver.apache.org%3E	Mailing List, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2020/dsa-4672	Third Party Advisory

Impacted products

Vendor	Product	Version
apache	traffic_server	*
apache	traffic_server	*
apache	traffic_server	*
debian	debian_linux	10.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "603BF43B-FC99-4039-A3C0-467F015A32FA",
              "versionEndIncluding": "6.2.3",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "888C6AC7-15B9-4D6F-8CA3-283700F6790B",
              "versionEndIncluding": "7.1.9",
              "versionStartIncluding": "7.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "38C87BF4-BED4-4910-9524-4D8632688669",
              "versionEndIncluding": "8.0.6",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack."
    },
    {
      "lang": "es",
      "value": "Apache ATS versiones 6.0.0 hasta 6.2.3, versiones 7.0.0 hasta la versi\u00f3n 7.1.9 y versiones 8.0.0 hasta 8.0.6, es vulnerable a un ataque de lectura lenta de HTTP/2."
    }
  ],
  "id": "CVE-2020-9481",
  "lastModified": "2024-11-21T05:40:44.080",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-04-27T22:15:12.457",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://lists.apache.org/thread.html/r21ddaf0a4a973f3c43c7ff399ae50d2f858f13f87bd6a9551c5cf6db%40%3Cannounce.trafficserver.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2020/dsa-4672"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://lists.apache.org/thread.html/r21ddaf0a4a973f3c43c7ff399ae50d2f858f13f87bd6a9551c5cf6db%40%3Cannounce.trafficserver.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2020/dsa-4672"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

ghsa-p73f-98x4-6v7q

Vulnerability from github

Published

2022-05-24 17:16

Modified

2022-05-24 17:16

Details

Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-9481"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-27T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack.",
  "id": "GHSA-p73f-98x4-6v7q",
  "modified": "2022-05-24T17:16:47Z",
  "published": "2022-05-24T17:16:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9481"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r21ddaf0a4a973f3c43c7ff399ae50d2f858f13f87bd6a9551c5cf6db%40%3Cannounce.trafficserver.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4672"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2020-9481 (GCVE-0-2020-9481)

Vulnerability from cvelistv5

var-202004-1820

Vulnerability from variot

cnvd-2020-28765

Vulnerability from cnvd

gsd-2020-9481

Vulnerability from gsd

fkie_cve-2020-9481

Vulnerability from fkie_nvd

ghsa-p73f-98x4-6v7q

Vulnerability from github

Tags

Sightings

Nomenclature