Apache Traffic Server Request Smuggling Vulnerability Due to Malformed Chunked Messages

A request smuggling vulnerability has been identified in Apache Traffic Server (ATS) versions 9.0.0 prior to 9.2.12 and 10.0.0 prior to 10.1.1. The issue arises when chunked messages are malformed, allowing for improper handling of HTTP requests. This vulnerability could be exploited to manipulate the way requests are processed, potentially leading to unauthorized actions or information disclosure.

Impact

Exploitation of this vulnerability allows for HTTP request smuggling, where an attacker can interfere with the way requests are handled by the server. This could lead to bypassing security controls, causing desynchronization between front-end and back-end servers, or manipulating request headers in a way that could be exploited.

Remediation

Users of Apache Traffic Server 9.x should upgrade to version 9.2.13 or later. Users of Apache Traffic Server 10.x should upgrade to version 10.1.2 or later.