CVE-2021-37150 — trafficserver - security update

Description

Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

How to fix CVE-2021-37150

To remediate CVE-2021-37150, upgrade the affected package to a fixed version below.

Debian/trafficserver—upgrade to 8.1.5+ds-1~deb11u1 or later
—upgrade to 8.0.2+ds-1+deb10u7 or later
—upgrade to 8.1.5+ds-1~deb11u1 or later

Is CVE-2021-37150 being exploited?

Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 8.1.5+ds-1~deb11u1
from 0, < 8.0.2+ds-1+deb10u7
from 0, < 8.1.5+ds-1~deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-37150