Https://gitlab.com/gitlab-org/security-products/gemnasium-dbGITLAB-AE16256E7DD2D6246931B4FCC960EFE9Incorrect Permission Assignment for Critical Resource
0.003 Low
EPSS
Percentile
69.6%
When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.
| CPE | Name | Operator | Version |
|---|---|---|---|
| go/github.com/apache/trafficcontrol | lt | v5.0.0 |
References
github.com/advisories/GHSA-pw59-4qgf-jxr8
github.com/apache/trafficcontrol/commit/492290d810e9608afb5d265b98cd3f3e153e776b
lists.apache.org/thread.html/r3c675031ac220b5eae64a9c84a03ee60045c6045738607dca4a96cb8@%3Ccommits.trafficcontrol.apache.org%3E
lists.apache.org/thread.html/r3de212a3da73bcf98fa2db7eafb75b2eb8e131ff466e6efc4284df09%40%3Cdev.trafficcontrol.apache.org%3E
lists.apache.org/thread.html/rc8bfd7d4f71d61e9193efcd4699eccbab3c202ec1d75ed9d502f08bf@%3Ccommits.trafficcontrol.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2020-17522
Related
