CVE-2021-32565
7.5
HIGH
CVSS 3.1
EPSS 5.7%
Description
Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.
How to fix CVE-2021-32565
To remediate CVE-2021-32565, upgrade the affected package to a fixed version below.
- Debian/trafficserver—upgrade to 8.1.1+ds-1.1 or later
Is CVE-2021-32565 being exploited?
Moderate — EPSS is 5.7%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- from 0, < 8.1.1+ds-1.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |