CVE-2020-17522

5.8MEDIUM

Key Information:

Vendor
Apache
Status
Apache Traffic Control
Vendor
CVE Published:
26 January 2021

Summary

When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.

Affected Version(s)

Apache Traffic Control Traffic Control 3.0.0 to 3.1.0, 4.0.0 to 4.1.0

References

https://lists.apache.org/thread.html/r3de212a3da73bcf98fa...
x_refsource_MISC
https://lists.apache.org/thread.html/r3c675031ac220b5eae6...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rc8bfd7d4f71d61e9193...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.