CVE-2020-17522

2021-01-2618:15:40

Google

osv.dev

6.9 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.6%

JSON

When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.

CPENameOperatorVersion
incubator-trafficcontroleqRELEASE-3.1.0
incubator-trafficcontroleqRELEASE-3.0.1-RC2
incubator-trafficcontroleqRELEASE-3.0.1-RC1
incubator-trafficcontroleqRELEASE-3.0.0-RC6
incubator-trafficcontroleqRELEASE-3.0.1
incubator-trafficcontroleqRELEASE-3.1.0-RC1
incubator-trafficcontroleqRELEASE-3.0.0

Name	Operator	Version
incubator-trafficcontrol	eq	RELEASE-3.1.0
incubator-trafficcontrol	eq	RELEASE-3.0.1-RC2
incubator-trafficcontrol	eq	RELEASE-3.0.1-RC1
incubator-trafficcontrol	eq	RELEASE-3.0.0-RC6
incubator-trafficcontrol	eq	RELEASE-3.0.1
incubator-trafficcontrol	eq	RELEASE-3.1.0-RC1
incubator-trafficcontrol	eq	RELEASE-3.0.0