Server-Side Request Forgery in Traffic Ops endpoint POST /user/login/oauth
CVE-2022-23206

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Traffic Control
Vendor: CVE Published:; 6 February 2022

What is CVE-2022-23206?

In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.

Affected Version(s)

Apache Traffic Control Traffic Ops < 6.1.0

References

https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vv...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 6, 2022
Vulnerability Reserved
Jan 13, 2022

Credit

Apache Traffic Control would like to thank walkerxiong of SecCoder Security Lab for reporting this issue.

JSON