CVE-2020-17522 — Cache Manipulation Attack in Apache Traffic Control

Description

When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.

How to fix CVE-2020-17522

To remediate CVE-2020-17522, upgrade the affected package to a fixed version below.

—upgrade to 5.0.0 or later

Is CVE-2020-17522 being exploited?

Low — EPSS is 2.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 5.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-17522
PATCHgithub.com/apache/trafficcontrol
WEBgithub.com/apache/trafficcontrol/commit/492290d810e9608afb5d265b98cd3f3e153e776b
WEBlists.apache.org/thread.html/r3c675031ac220b5eae64a9c84a03ee60045c6045738607dca4a96cb8@%3Ccommits.trafficcontrol.apache.org%3E