You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Zach Hoffman <zr...@apache.org> on 2022/02/05 00:08:03 UTC

CVE-2022-23206: Apache Traffic Control: Server-Side Request Forgery in Traffic Ops endpoint POST /user/login/oauth

Description:

In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.

Mitigation:

6.0.x user should upgrade to 6.1.0.
5.1.x users should upgrade to 5.1.6 or 6.1.0.

Credit:

Apache Traffic Control would like to thank walkerxiong of SecCoder Security Lab for reporting this issue.