CVE-2020-17522

When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:traffic_control:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:traffic_control:*:*:*:*:*:*:*:*

History

21 Nov 2024, 05:08

Type Values Removed Values Added
References () https://lists.apache.org/thread.html/r3c675031ac220b5eae64a9c84a03ee60045c6045738607dca4a96cb8%40%3Ccommits.trafficcontrol.apache.org%3E - () https://lists.apache.org/thread.html/r3c675031ac220b5eae64a9c84a03ee60045c6045738607dca4a96cb8%40%3Ccommits.trafficcontrol.apache.org%3E -
References () https://lists.apache.org/thread.html/r3de212a3da73bcf98fa2db7eafb75b2eb8e131ff466e6efc4284df09%40%3Cdev.trafficcontrol.apache.org%3E - Mailing List, Vendor Advisory () https://lists.apache.org/thread.html/r3de212a3da73bcf98fa2db7eafb75b2eb8e131ff466e6efc4284df09%40%3Cdev.trafficcontrol.apache.org%3E - Mailing List, Vendor Advisory
References () https://lists.apache.org/thread.html/rc8bfd7d4f71d61e9193efcd4699eccbab3c202ec1d75ed9d502f08bf%40%3Ccommits.trafficcontrol.apache.org%3E - () https://lists.apache.org/thread.html/rc8bfd7d4f71d61e9193efcd4699eccbab3c202ec1d75ed9d502f08bf%40%3Ccommits.trafficcontrol.apache.org%3E -

07 Nov 2023, 03:19

Type Values Removed Values Added
References
  • {'url': 'https://lists.apache.org/thread.html/rc8bfd7d4f71d61e9193efcd4699eccbab3c202ec1d75ed9d502f08bf@%3Ccommits.trafficcontrol.apache.org%3E', 'name': '[trafficcontrol-commits] 20211011 [trafficcontrol-website] 01/02: Add CVE-2021-42009', 'tags': ['Mailing List', 'Patch', 'Third Party Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/r3c675031ac220b5eae64a9c84a03ee60045c6045738607dca4a96cb8@%3Ccommits.trafficcontrol.apache.org%3E', 'name': '[trafficcontrol-commits] 20210616 [trafficcontrol-website] branch asf-site updated: Fix CVE-2020-17522 link', 'tags': ['Mailing List', 'Patch', 'Third Party Advisory'], 'refsource': 'MLIST'}
  • () https://lists.apache.org/thread.html/r3c675031ac220b5eae64a9c84a03ee60045c6045738607dca4a96cb8%40%3Ccommits.trafficcontrol.apache.org%3E -
  • () https://lists.apache.org/thread.html/rc8bfd7d4f71d61e9193efcd4699eccbab3c202ec1d75ed9d502f08bf%40%3Ccommits.trafficcontrol.apache.org%3E -

Information

Published : 2021-01-26 18:15

Updated : 2024-11-21 05:08


NVD link : CVE-2020-17522

Mitre link : CVE-2020-17522

CVE.ORG link : CVE-2020-17522


JSON object : View

Products Affected

apache

  • traffic_control
CWE
CWE-732

Incorrect Permission Assignment for Critical Resource