Security Flaw in Apache Traffic Control Allows Unauthorized Access to CDN Cache Content
CVE-2020-17522

5.8MEDIUM

Key Information:

Vendor
Apache
Status
Apache Traffic Control
Vendor
CVE Published:
26 January 2021

Summary

A security flaw exists in Apache Traffic Control that affects versions 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0. The vulnerability occurs when the ip_allow.config files are generated, enabling improper permissions that may allow malicious users to manipulate CDN cache servers. This can permit unauthorized addition or removal of content, and in certain situations, clients with external IP addresses may access permissions that extend beyond the intended network, raising significant security concerns for content delivery and data integrity.

Affected Version(s)

Apache Traffic Control Traffic Control 3.0.0 to 3.1.0, 4.0.0 to 4.1.0

References

https://lists.apache.org/thread.html/r3de212a3da73bcf98fa...
x_refsource_MISC
https://lists.apache.org/thread.html/r3c675031ac220b5eae6...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rc8bfd7d4f71d61e9193...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.