CVE-2020-17522 — Incorrect Permission Assignment in Apache Trafficcontrol

CWE-732 — Incorrect Permission Assignment CWE-525 — Use of Web Browser Cache Containing Sensitive Information4 documents4 sources

Severity

5.8MEDIUMNVD

EPSS

2.2%

top 15.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Apache Trafficcontrol Apache Traffic Control Apache Software Foundation Apache Traffic Control

Timeline

PublishedJan 26

Latest updateJun 18

Description

When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶Gogithub.com/apache_trafficcontrol< 5.0.0

▶NVDapache/traffic_control3.0.0 — 3.1.0+1

▶CVEListV5apache_software_foundation/apache_traffic_controlTraffic Control 3.0.0 to 3.1.0, 4.0.0 to 4.1.0

🔴Vulnerability Details

OSV

Cache Manipulation Attack in Apache Traffic Control↗2021-06-18

▶

GHSA

Cache Manipulation Attack in Apache Traffic Control↗2021-06-18

▶

CVEList

CVE-2020-17522: When ORT (now via atstccfg) generates ip_allow↗2021-01-26

▶