Vulnerability Description
When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Traffic Control | >= 3.0.0, <= 3.1.0 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread.html/r3c675031ac220b5eae64a9c84a03ee60045c604573
- https://lists.apache.org/thread.html/r3de212a3da73bcf98fa2db7eafb75b2eb8e131ff46Mailing ListVendor Advisory
- https://lists.apache.org/thread.html/rc8bfd7d4f71d61e9193efcd4699eccbab3c202ec1d
- https://lists.apache.org/thread.html/r3c675031ac220b5eae64a9c84a03ee60045c604573
- https://lists.apache.org/thread.html/r3de212a3da73bcf98fa2db7eafb75b2eb8e131ff46Mailing ListVendor Advisory
- https://lists.apache.org/thread.html/rc8bfd7d4f71d61e9193efcd4699eccbab3c202ec1d
FAQ
What is CVE-2020-17522?
CVE-2020-17522 is a vulnerability with a CVSS score of 5.8 (MEDIUM). When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content...
How severe is CVE-2020-17522?
CVE-2020-17522 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-17522?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Traffic Control.