Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB3NTktNHFnZi1qeHI4

Cache Manipulation Attack in Apache Traffic Control

When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.

Permalink: https://github.com/advisories/GHSA-pw59-4qgf-jxr8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB3NTktNHFnZi1qeHI4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago

CVSS Score: 5.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Identifiers: GHSA-pw59-4qgf-jxr8, CVE-2020-17522
References:

• https://nvd.nist.gov/vuln/detail/CVE-2020-17522
• https://github.com/apache/trafficcontrol/commit/492290d810e9608afb5d265b98cd3f3e153e776b
• https://lists.apache.org/thread.html/r3c675031ac220b5eae64a9c84a03ee60045c6045738607dca4a96cb8@%3Ccommits.trafficcontrol.apache.org%3E
• https://lists.apache.org/thread.html/r3de212a3da73bcf98fa2db7eafb75b2eb8e131ff466e6efc4284df09%40%3Cdev.trafficcontrol.apache.org%3E
• https://lists.apache.org/thread.html/rc8bfd7d4f71d61e9193efcd4699eccbab3c202ec1d75ed9d502f08bf@%3Ccommits.trafficcontrol.apache.org%3E
• https://github.com/advisories/GHSA-pw59-4qgf-jxr8

Repository: https://github.com/apache/trafficcontrol
Blast Radius: 1.7

Affected Packages