CVE-2020-17522

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-17522

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-17522.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-17522

Aliases

GHSA-pw59-4qgf-jxr8

Published

2021-01-26T18:15:40Z

Modified

2025-01-14T08:34:49.389729Z

Severity

5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.

References

Affected packages

Git / github.com/apache/trafficcontrol

Affected ranges

Type: GIT
Repo: https://github.com/apache/trafficcontrol
Events: Introduced

92a14286c60e46da08d08c5dfa3114b31e44311a

Last affected

1e34ccd8a15c853902a154600efc60466d5736ca

Introduced

eca5d609dc5877e9abc075c0228e6e400473f564

Last affected

f36275fdca278cad1ec461ec7fc41b3d9ce421a8

Affected versions

RELEASE-3.*

RELEASE-3.0.0

RELEASE-3.0.0-RC6

RELEASE-3.0.1

RELEASE-3.0.1-RC1

RELEASE-3.0.1-RC2

RELEASE-3.1.0

RELEASE-3.1.0-RC1