CVE-2020-17522 – github.com/apache/trafficcontrol

Package

Manager: go
Name: github.com/apache/trafficcontrol
Vulnerable Version: >=0 <5.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

EPSS: 0.02162 pctl0.83632

Details

Cache Manipulation Attack in Apache Traffic Control When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.

Metadata

Created: 2021-06-18T22:04:32Z
Modified: 2022-04-04T21:27:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-pw59-4qgf-jxr8/GHSA-pw59-4qgf-jxr8.json
CWE IDs: ["CWE-525", "CWE-732"]
Alternative ID: GHSA-pw59-4qgf-jxr8
Finding: F039
Auto approve: 1