CVE-2022-40743
Publication date 19 December 2022
Last updated 26 August 2025
Ubuntu priority
Description
Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later versions.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| trafficserver | 26.04 LTS resolute | Not in release |
| 25.10 questing |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal | Ignored end of standard support, was needs-triage | |
| 18.04 LTS bionic | Ignored end of standard support, was needs-triage | |
| 16.04 LTS xenial | Ignored end of standard support | |
| 14.04 LTS trusty | Ignored end of standard support |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.1 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References
Other references
- https://lists.apache.org/thread/mrj2lg4s0hf027rk7gz8t7hbn9xpfg02
- https://github.com/apache/trafficserver/commit/eb5efe19e68e51db58a6320b4a99e3fc83336a14 (master)
- https://github.com/apache/trafficserver/commit/20c857a785da93fa0e3263597207b5ef35b65b7c (v9.1.x)
- https://www.cve.org/CVERecord?id=CVE-2022-40743