Vulnerability Details : CVE-2018-8005
When there are multiple ranges in a range request, Apache Traffic Server (ATS) will read the entire object from cache. This can cause performance problems with large objects in cache. This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x users should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.
Products affected by CVE-2018-8005
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
Threat overview for CVE-2018-8005
Top countries where our scanners detected CVE-2018-8005
Top open port discovered on systems with this issue
80
IPs affected by CVE-2018-8005 359
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2018-8005!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2018-8005
0.51%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-8005
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2018-8005
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-8005
-
https://lists.apache.org/thread.html/55d225af92887bfed0194400fd1b718622cca4140fc7318d982e25ca@%3Cusers.trafficserver.apache.org%3E
[ANNOUNCE] Apache Traffic Server vulnerability with multi-range requests - CVE-2018-8005 - Pony MailMitigation;Mailing List;Vendor Advisory
-
https://github.com/apache/trafficserver/pull/3106
Adds a new configuration proxy.config.http.allow_multi_range by zwoop · Pull Request #3106 · apache/trafficserver · GitHubThird Party Advisory
-
https://www.debian.org/security/2018/dsa-4282
Debian -- Security Information -- DSA-4282-1 trafficserverThird Party Advisory
-
https://github.com/apache/trafficserver/pull/3124
Disables the support for multi-range request by default by zwoop · Pull Request #3124 · apache/trafficserver · GitHubThird Party Advisory
-
http://www.securityfocus.com/bid/105187
Apache Traffic Server CVE-2018-8005 Denial of Service VulnerabilityThird Party Advisory;VDB Entry
Jump to