{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-31698", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-03-31T23:45:24.580Z", "datePublished": "2025-06-19T10:07:46.733Z", "dateUpdated": "2025-06-20T13:32:19.681Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Traffic Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "10.0.6", "status": "affected", "version": "10.0.0", "versionType": "semver"}, {"lessThanOrEqual": "9.2.10", "status": "affected", "version": "9.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol.</p>Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol.&nbsp;<br><p>This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10.</p><p>Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.</p>"}], "value": "ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol.\n\nUsers can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol.\u00a0\nThis issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10.\n\nUsers are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-06-19T10:07:46.733Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Traffic Server: Client IP address from PROXY protocol is not used for ACL", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-06-20T13:31:33.907068Z", "id": "CVE-2025-31698", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-20T13:32:19.681Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-31698", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-20T13:31:33.907068Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-20T13:31:47.401Z"}}], "cna": {"title": "Apache Traffic Server: Client IP address from PROXY protocol is not used for ACL", "source": {"discovery": "UNKNOWN"}, "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Traffic Server", "versions": [{"status": "affected", "version": "10.0.0", "versionType": "semver", "lessThanOrEqual": "10.0.6"}, {"status": "affected", "version": "9.0.0", "versionType": "semver", "lessThanOrEqual": "9.2.10"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol.\n\nUsers can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol.\u00a0\nThis issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10.\n\nUsers are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol.</p>Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol.&nbsp;<br><p>This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10.</p><p>Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-06-19T10:07:46.733Z"}}}, "cveMetadata": {"cveId": "CVE-2025-31698", "state": "PUBLISHED", "dateUpdated": "2025-06-20T13:32:19.681Z", "dateReserved": "2025-03-31T23:45:24.580Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2025-06-19T10:07:46.733Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "7AB2F8C0-3B8A-4C21-8358-4718FB3ECA5C", "versionEndExcluding": "9.2.11", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "5AF96465-2A06-4EC2-832C-36A094908691", "versionEndExcluding": "10.0.6", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol.\n\nUsers can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol.\u00a0\nThis issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10.\n\nUsers are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue."}, {"lang": "es", "value": "La ACL configurada en ip_allow.config o remap.config no utiliza las direcciones IP proporcionadas por el protocolo PROXY. Los usuarios pueden usar una nueva configuraci\u00f3n (proxy.config.acl.subjects) para elegir las direcciones IP que se usar\u00e1n para la ACL si Apache Traffic Server est\u00e1 configurado para aceptar el protocolo PROXY. Este problema afecta a las versiones undefined: de la 10.0.0 a la 10.0.6 y de la 9.0.0 a la 9.2.10. Se recomienda actualizar a la versi\u00f3n 9.2.11 o 10.0.6, que soluciona el problema."}], "id": "CVE-2025-31698", "lastModified": "2025-07-01T20:14:42.687", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-06-19T10:15:20.980", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "trafficserver: Apache Traffic Server PROXY Protocol ACL Bypass", "id": "2373846", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373846"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-284", "details": ["ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol.\nUsers can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol.\u00a0\nThis issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10.\nUsers are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.", "A flaw was found in trafficserver. Access control lists (ACLs) configured within `ip_allow.config` or `remap.config` incorrectly utilize IP addresses, failing to account for those provided by the PROXY protocol. This can allow an attacker to bypass intended access restrictions by manipulating the source IP address presented via the PROXY protocol. This misconfiguration allows for unintended access based on a non-validated IP address."], "mitigation": {"lang": "en:us", "value": "To mitigate this flaw use the new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol."}, "name": "CVE-2025-31698", "public_date": "2025-06-19T10:07:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-31698"], "statement": "The severity is rated as Moderate because this vulnerability requires a specific, non-default configuration to be exploitable. Apache Traffic Server is primarily available in Red Hat environments through the Extra Packages for Enterprise Linux (EPEL) repository, which is community-supported. The impact is limited to environments where administrators have explicitly enabled and trusted the PROXY protocol for client IP information in their ACL configurations. This reduces the likelihood of broad impact across Red Hat products.", "threat_severity": "Moderate"}