CVE-2024-50305
Publication date 14 November 2024
Last updated 12 February 2026
Ubuntu priority
Description
Valid Host header field can cause Apache Traffic Server to crash on some platforms. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| trafficserver | 25.10 questing |
Vulnerable
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
Notes
ebarretto
Even though description mention 9.2.0 through 9.2.5, the oss-security mentions 9.0.0 to 9.2.5 and the vulnerable code can be found in jammy
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-50305
- https://www.openwall.com/lists/oss-security/2024/11/13/1
- https://github.com/apache/trafficserver/issues/8461
- https://github.com/apache/trafficserver/commit/5e39658f7c0bc91613468c9513ba22ede1739d7e (9.2.6-rc0)
- https://github.com/apache/trafficserver/commit/055ca11c2842a64bf7df8d547515670e1a04afc1 (master)
- https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y