You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Eric Friedrich <fr...@apache.org> on 2021/10/13 18:58:07 UTC
Re: CVE-2021-42009: Apache Traffic Control Arbitrary Email Content
Insertion in /deliveryservices/request
Additional Information:
Impacted Versions:
5.1.x users should upgrade to 5.1.3 or 6.0.0.
4.1.x users should upgrade to 5.1.3.
Credit:
This issue was discovered by GitHub's CodeQL code scanning service.
On Mon, Oct 11, 2021 at 8:29 PM Eric Friedrich <fr...@apache.org> wrote:
>
> Description:
>
> An authenticated Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the /deliveryservices/request Traffic Ops endpoint to send an email, from the Traffic Ops server, with an arbitrary body to an arbitrary email address.
>