CVE-2025-31698
BaseFortify
Publication date: 2025-06-19
Last updated on: 2025-07-01
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | traffic_server | From 9.0.0 (inc) to 9.2.11 (exc) |
| apache | traffic_server | From 10.0.0 (inc) to 10.0.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs because the ACL (Access Control List) configured in ip_allow.config or remap.config does not use the IP addresses provided by the PROXY protocol. This means that when Apache Traffic Server is configured to accept the PROXY protocol, the ACL may not correctly recognize or apply rules based on the actual client IP addresses. A new setting (proxy.config.acl.subjects) allows users to specify which IP addresses to use for the ACL to address this issue.
How can this vulnerability impact me? :
This vulnerability can impact you by causing incorrect access control decisions in Apache Traffic Server when using the PROXY protocol. Since the ACL does not use the correct IP addresses, unauthorized clients might gain access or authorized clients might be blocked incorrectly, potentially leading to security risks such as unauthorized access or denial of service.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Apache Traffic Server to version 9.2.11 or 10.0.6, which contain fixes for this vulnerability. Additionally, configure the setting proxy.config.acl.subjects to ensure ACLs use the correct IP addresses provided by the PROXY protocol.