CVE-2020-17522
Last modified
CVE-2020-17522 is a medium-severity vulnerability rated 5.8/10 on the CVSS scale. When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.. EPSS estimates a 3.93% chance of exploitation in the next 30 days.
Description
When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Traffic Control | >= 3.0.0, <= 3.1.0 |
| Apache | Traffic Control | >= 4.0.0, <= 4.1.0 |
References
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-17522?
How severe is CVE-2020-17522?
How do I fix CVE-2020-17522?
Are you affected by CVE-2020-17522?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST