CVE-2024-53868 - Vulnerability Details - OpenCVE

Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4. Users are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Apache	Traffic Server

Configuration 1 [-]

OR	cpe:2.3:a:apache:traffic_server::::::::
	cpe:2.3:a:apache:traffic_server::::::::

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2025/04/02/4
https://lists.apache.org/thread/rwyx91rsrnmpjbm04footfjjf6m9d1c9

History

Tue, 29 Apr 2025 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache traffic Server
CPEs		cpe:2.3:a:apache:traffic_server::::::::
Vendors & Products		Apache Apache traffic Server

Fri, 18 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 03 Apr 2025 09:45:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2025/04/02/4

Thu, 03 Apr 2025 09:15:00 +0000

Type	Values Removed	Values Added
Description		Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4. Users are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue.
Title		Apache Traffic Server: Malformed chunked message body allows request smuggling
Weaknesses		CWE-444
References		https://lists.apache.org/thread/rwyx91rsrnmpjbm04footfjjf6m9d1c9

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2025-04-03T08:59:02.557Z

Updated: 2025-04-18T14:38:03.477Z

Reserved: 2024-11-22T19:01:29.833Z

Link: CVE-2024-53868

Vulnrichment

Updated: 2025-04-03T09:03:43.467Z

NVD

Status : Analyzed

Published: 2025-04-03T09:15:15.780

Modified: 2025-04-29T20:42:23.407

Link: CVE-2024-53868

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-53868", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-11-22T19:01:29.833Z", "datePublished": "2025-04-03T08:59:02.557Z", "dateUpdated": "2025-04-18T14:38:03.477Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Traffic Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "9.2.9", "status": "affected", "version": "9.2.0", "versionType": "semver"}, {"lessThanOrEqual": "10.0.4", "status": "affected", "version": "10.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Jeppe Bonde Weikop"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p></p><p><span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">Apache Traffic Server allows request smuggling if c</span>hunked messages are malformed.</span> </p><p></p><p></p><p>This issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4.</p><p>Users are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue.</p>"}], "value": "Apache Traffic Server allows request smuggling if chunked messages are malformed.\u00a0\n\n\n\n\n\nThis issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4.\n\nUsers are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-04-03T08:59:02.557Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/rwyx91rsrnmpjbm04footfjjf6m9d1c9"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Traffic Server: Malformed chunked message body allows request smuggling", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/04/02/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-03T09:03:43.467Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-18T14:37:32.583128Z", "id": "CVE-2024-53868", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-18T14:38:03.477Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/04/02/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-03T09:03:43.467Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-53868", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-18T14:37:32.583128Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-18T14:29:40.844Z"}}], "cna": {"title": "Apache Traffic Server: Malformed chunked message body allows request smuggling", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Jeppe Bonde Weikop"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Traffic Server", "versions": [{"status": "affected", "version": "9.2.0", "versionType": "semver", "lessThanOrEqual": "9.2.9"}, {"status": "affected", "version": "10.0.0", "versionType": "semver", "lessThanOrEqual": "10.0.4"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/rwyx91rsrnmpjbm04footfjjf6m9d1c9", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Apache Traffic Server allows request smuggling if chunked messages are malformed.\u00a0\n\n\n\n\n\nThis issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4.\n\nUsers are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p></p><p><span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">Apache Traffic Server allows request smuggling if c</span>hunked messages are malformed.</span> </p><p></p><p></p><p>This issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4.</p><p>Users are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-04-03T08:59:02.557Z"}}}, "cveMetadata": {"cveId": "CVE-2024-53868", "state": "PUBLISHED", "dateUpdated": "2025-04-18T14:38:03.477Z", "dateReserved": "2024-11-22T19:01:29.833Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2025-04-03T08:59:02.557Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "49BBCCAA-EDE7-43C9-8F83-D9222041EB9D", "versionEndExcluding": "9.2.10", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA433D39-AD50-4477-8DAF-7933110A198F", "versionEndExcluding": "10.0.5", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache Traffic Server allows request smuggling if chunked messages are malformed.\u00a0\n\n\n\n\n\nThis issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4.\n\nUsers are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue."}, {"lang": "es", "value": "Apache Traffic Server permite el contrabando de solicitudes si los mensajes fragmentados tienen un formato incorrecto. Este problema afecta a Apache Traffic Server: de la 9.2.0 a la 9.2.9 y de la 10.0.0 a la 10.0.4. Se recomienda actualizar a la versi\u00f3n 9.2.10 o 10.0.5, que soluciona el problema."}], "id": "CVE-2024-53868", "lastModified": "2025-04-29T20:42:23.407", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-04-03T09:15:15.780", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/rwyx91rsrnmpjbm04footfjjf6m9d1c9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2025/04/02/4"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "security@apache.org", "type": "Secondary"}]}