You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Zach Hoffman <zr...@apache.org> on 2022/02/05 00:08:03 UTC
CVE-2022-23206: Apache Traffic Control: Server-Side Request Forgery in Traffic Ops endpoint POST /user/login/oauth
Description:
In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.
Mitigation:
6.0.x user should upgrade to 6.1.0.
5.1.x users should upgrade to 5.1.6 or 6.1.0.
Credit:
Apache Traffic Control would like to thank walkerxiong of SecCoder Security Lab for reporting this issue.