oss-sec mailing list archives

CVE-2022-23206: Apache Traffic Control: Server-Side Request Forgery in Traffic Ops endpoint POST /user/login/oauth

From: Zach Hoffman <zrhoffman () apache org>
Date: Sat, 05 Feb 2022 00:08:03 +0000

Description:

In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over 
HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can 
reach.

Mitigation:

6.0.x user should upgrade to 6.1.0.
5.1.x users should upgrade to 5.1.6 or 6.1.0.

Credit:

Apache Traffic Control would like to thank walkerxiong of SecCoder Security Lab for reporting this issue.

Current thread:

CVE-2022-23206: Apache Traffic Control: Server-Side Request Forgery in Traffic Ops endpoint POST /user/login/oauth Zach Hoffman (Feb 04)