Description
When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.
References (3)
Core 3
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread.html/r3de212a3da73bcf98fa2db7eafb75b2eb8e131ff466e6efc4284df09%40%3Cdev.trafficcontrol.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r3c675031ac220b5eae64a9c84a03ee60045c6045738607dca4a96cb8%40%3Ccommits.trafficcontrol.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rc8bfd7d4f71d61e9193efcd4699eccbab3c202ec1d75ed9d502f08bf%40%3Ccommits.trafficcontrol.apache.org%3E
Scores
CVSS v3
5.8
EPSS
0.0216
EPSS Percentile
84.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Details
CWE
CWE-732
Status
published
Products (2)
apache/traffic_control
3.0.0 - 3.1.0
apache/trafficcontrol
0 - 5.0.0Go
Published
Jan 26, 2021
Tracked Since
Feb 18, 2026