CVE-2020-17522

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-17522
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-17522.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-17522
Aliases
Published
2021-01-26T18:15:40Z
Modified
2024-06-06T13:09:41.249432Z
Severity
  • 5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.

References

Affected packages

Git / github.com/apache/trafficcontrol

Affected ranges

Type
GIT
Repo
https://github.com/apache/trafficcontrol
Events

Affected versions

RELEASE-3.*

RELEASE-3.0.0
RELEASE-3.0.0-RC6
RELEASE-3.0.1
RELEASE-3.0.1-RC1
RELEASE-3.0.1-RC2
RELEASE-3.1.0
RELEASE-3.1.0-RC1