Описание
ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted.
Users can use a new setting for the plugin (--max-inclusion-depth) to limit it.
This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.
Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
A flaw was found in trafficserver. The Edge Side Includes (ESI) plugin lacks a limit on maximum inclusion depth, allowing a remote attacker to trigger excessive memory consumption by inserting malicious instructions. This condition occurs due to the plugin's inability to restrict the nesting of ESI includes, potentially leading to a denial of service. The vulnerability is triggered via a crafted ESI request.
Отчет
This issue is rated as Important because it allows a remote, unauthenticated attacker to impact the availability of the service without requiring user interaction. While it requires a specific plugin to be enabled, ESI is a common feature for environments that serve dynamic content. The vulnerability does not lead to a compromise of confidentiality or integrity, preventing a "Critical" rating. Apache Traffic Server is primarily available in Red Hat environments through the community-supported EPEL repository, which is a key factor in this assessment.
Меры по смягчению последствий
To mitigate this flaw use a new setting for the plugin (--max-inclusion-depth) to limit it.
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
ESI plugin does not have the limit for maximum inclusion depth, and th ...
ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
EPSS
7.5 High
CVSS3