CVE-2024-50306
Apache Traffic Server: Server process can fail to drop privilege
In short
Apache Traffic Server fails to properly drop system privileges when starting up, potentially allowing the server to run with higher access levels than intended. This could let attackers exploit the service with elevated permissions.
Technical detail
A missing return value check in the privilege-dropping mechanism during startup allows Apache Traffic Server to continue execution even if privilege reduction fails, resulting in the process retaining root or elevated privileges. The vulnerability affects versions 9.2.0–9.2.5 and 10.0.0–10.0.1, enabling privilege escalation if an attacker can compromise or interact with the improperly-privileged process.
Summary generated and translated by AI from the official description.
Unchecked return value can allow Apache Traffic Server to retain privileges on startup.
This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5, from 10.0.0 through 10.0.1.
Users are recommended to upgrade to version 9.2.6 or 10.0.2, which fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Affected products
Apache Software Foundation · Apache Traffic ServerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →