Buffer overflow in Apache Traffic_server

CVE-2012-0256

Apache Traffic Server 2.0.x and 3.0.x before 3.0.4 and 3.1.x before 3.1.3 does not properly allocate heap memory, which allows remote attackers to cause a denial of service (daemon crash) via a long HTTP Host header.

Vulnerability class: Buffer Overflow

EPSS: 0.016 (82.3th percentile) — read the EPSS interpretation.

Affected products

Apache Traffic_server — versions 2.0.0, 2.0.1, 2.1.0
N/a — versions n/a

Weakness classification (CWE)

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer

References

20120322 [ANNOUNCE] Apache Traffic Server releases for security incident CVE-2012-0256 (mailing-list, x_refsource_BUGTRAQ)
20120322 [ANNOUNCE] Apache Traffic Server releases for security incident CVE-2012-0256 (mailing-list, x_refsource_FULLDISC)
52696 (vdb-entry, x_refsource_BID)
cret@cert.org (x_refsource_MISC)
1026847 (vdb-entry, x_refsource_SECTRACK)
cret@cert.org (x_refsource_CONFIRM, Patch)