Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB3NTktNHFnZi1qeHI4
Cache Manipulation Attack in Apache Traffic Control
When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.
Permalink: https://github.com/advisories/GHSA-pw59-4qgf-jxr8JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB3NTktNHFnZi1qeHI4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
CVSS Score: 5.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Identifiers: GHSA-pw59-4qgf-jxr8, CVE-2020-17522
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-17522
- https://github.com/apache/trafficcontrol/commit/492290d810e9608afb5d265b98cd3f3e153e776b
- https://lists.apache.org/thread.html/r3c675031ac220b5eae64a9c84a03ee60045c6045738607dca4a96cb8@%3Ccommits.trafficcontrol.apache.org%3E
- https://lists.apache.org/thread.html/r3de212a3da73bcf98fa2db7eafb75b2eb8e131ff466e6efc4284df09%40%3Cdev.trafficcontrol.apache.org%3E
- https://lists.apache.org/thread.html/rc8bfd7d4f71d61e9193efcd4699eccbab3c202ec1d75ed9d502f08bf@%3Ccommits.trafficcontrol.apache.org%3E
- https://github.com/advisories/GHSA-pw59-4qgf-jxr8
Blast Radius: 1.7
Affected Packages
go:github.com/apache/trafficcontrol
Dependent packages: 1Dependent repositories: 2
Downloads:
Affected Version Ranges: < 5.0.0
Fixed in: 5.0.0
All affected versions: 1.1.3
All unaffected versions: 5.0.0, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.6, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 7.0.0, 7.0.1