HTTP: Apache Traffic Server ESI Plugin Cookie Header Information Disclosure
An information disclosure vulnerability has been reported in Apache Traffic Server. Successful exploitation of this vulnerability could lead to disclosure of sensitive information.
Extended Description
Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access. This affects Apache Traffic Server (ATS) versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.
Affected Products
Apache traffic_server
Short Name
HTTP:STC:APACHE-ESI-ID
Severity
Minor
Recommended
True
Recommended Action
Drop
Category
HTTP
Keywords
Apache CVE-2018-8040 Cookie Disclosure ESI Header Information Plugin Server Traffic
Release Date
09/20/2018
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3590
False Positive
Unknown
Vendors
Apache
Debian
CVSS Score
5.0