Lucene search

[email protected]CVE-2020-17522

HistoryJan 26, 2021 - 6:15 p.m.

CVE-2020-17522

2021-01-2618:15:40

CWE-732

[email protected]

web.nvd.nist.gov

cve

2020

17522

apache traffic control

security vulnerability

cdn

cache servers

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

5.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

5.6 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.7%

JSON

When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.

Affected configurations

Vulners

NVD

Node

apachetraffic_controlRange4.0.0–4.1.0

CPENameOperatorVersion
apache:traffic_controlapache traffic controlle3.1.0
apache:traffic_controlapache traffic controlle4.1.0

CPE	Name	Operator	Version
apache:traffic_control	apache traffic control	le	3.1.0
apache:traffic_control	apache traffic control	le	4.1.0

CNA Affected

[
  {
    "product": "Apache Traffic Control",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Traffic Control 3.0.0 to 3.1.0, 4.0.0 to 4.1.0"
      }
    ]
  }
]

References

lists.apache.org/thread.html/r3c675031ac220b5eae64a9c84a03ee60045c6045738607dca4a96cb8%40%3Ccommits.trafficcontrol.apache.org%3E

lists.apache.org/thread.html/r3de212a3da73bcf98fa2db7eafb75b2eb8e131ff466e6efc4284df09%40%3Cdev.trafficcontrol.apache.org%3E

lists.apache.org/thread.html/rc8bfd7d4f71d61e9193efcd4699eccbab3c202ec1d75ed9d502f08bf%40%3Ccommits.trafficcontrol.apache.org%3E

Social References

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

5.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

5.6 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.7%

JSON

Related for CVE-2020-17522

nvd1 github1 gitlab2 osv2 cvelist1 veracode1 prion1