Re: [ANNOUNCE] Apache Traffic Server vulnerability with header variable access in the ESI plugin - CVE-2018-8040

[Bryan Call <bcall () apache org>]

There was an error in the Version Affected section.  This also effects version 7.1.3 and users running 7.x should 
upgrade to 7.1.4 or later versions.

Thank you,

-Bryan



> On Aug 28, 2018, at 3:39 PM, Bryan Call <bcall () apache org> wrote:
>
> CVE-2018-8040: Apache Traffic Server vulnerability with header variable access in the ESI plugin
>
> Reported By:
> Louis Dion-Marcil
>
> Vendor:
> The Apache Software Foundation
>
> Version Affected:
> ATS 6.0.0 to 6.2.2
> ATS 7.0.0 to 7.1.2
>
> Description:
> Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configure not to 
> allow access.
>
> Mitigation:
> 6.x users should upgrade to 6.2.3 or later versions
> 7.x users should upgrade to 7.1.3 or later versions
>
> References:
>       Downloads:
>               https://trafficserver.apache.org/downloads
>       Github Pull Request:
>               https://github.com/apache/trafficserver/pull/3926
>       CVE:
>               https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8040
>
> -Bryan