CVE-2024-50306
Publication date 14 November 2024
Last updated 12 February 2026
Ubuntu priority
Description
Unchecked return value can allow Apache Traffic Server to retain privileges on startup. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5, from 10.0.0 through 10.0.1. Users are recommended to upgrade to version 9.2.6 or 10.0.2, which fixes the issue.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| trafficserver | 25.10 questing |
Vulnerable
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial |
Vulnerable
|
Notes
ebarretto
Even though description mention 9.2.0 through 9.2.5, the oss-security mentions 9.0.0 to 9.2.5 and the vulnerable code can be found in jammy Follow up to the fix: https://github.com/apache/trafficserver/commit/a0d49ddb44ea5e295c85d7d88a13e4978d6bc84b (9.2.7-rc0)
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.1 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-50306
- https://www.openwall.com/lists/oss-security/2024/11/13/1
- https://github.com/apache/trafficserver/pull/11855
- https://github.com/apache/trafficserver/commit/27f504883547502b1f5e4e389edd7f26e3ab246f (9.2.6-rc0)
- https://github.com/apache/trafficserver/commit/ae638096e259121d92d46a9f57026a5ff5bc328b (master)
- https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y