CVE-2021-42009 - OpenCVE

An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the /deliveryservices/request Traffic Ops endpoint to send an email, from the Traffic Ops server, with an arbitrary body to an arbitrary email address. Apache Traffic Control 5.1.x users should upgrade to 5.1.3 or 6.0.0. 4.1.x users should upgrade to 5.1.3.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Traffic Control

Configuration 1 [-]

cpe:2.3:a:apache:traffic_control:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2021/10/12/1	Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r78d471d8a4fd268a4c5ae6c47327c09d9d4b4467c31da2c97422febb%40%3Cdev.trafficcontrol.apache.org%3E
https://lists.apache.org/thread.html/r7dfa9a89b39d06caeeeb7b5cdc41b3493a9b86cc6cfa059d3f349d87%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/re384fd0f44c6d230f31376153c6e8b59e4a669f927c1533d06d702af%40%3Cdev.trafficcontrol.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rf0481b9e38ece1ece458d3ce7b2d671df819e3555597f31fc34f084e%40%3Ccommits.trafficcontrol.apache.org%3E	Mailing List Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2021-10-12T07:40:11

Updated: 2021-10-13T23:06:11

Reserved: 2021-10-05T00:00:00

Link: CVE-2021-42009

JSON object: View

NVD Information

Status : Modified

Published: 2021-10-12T08:15:06.920

Modified: 2023-11-07T03:39:05.567

Link: CVE-2021-42009

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "Apache Traffic Control", "vendor": "Apache Software Foundation", "versions": [{"changes": [{"at": "5.0.0", "status": "affected"}], "lessThan": "Apache Traffic Control*", "status": "affected", "version": "4.0.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "This issue was discovered by GitHub's CodeQL code scanning service."}], "descriptions": [{"lang": "en", "value": "An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the /deliveryservices/request Traffic Ops endpoint to send an email, from the Traffic Ops server, with an arbitrary body to an arbitrary email address. Apache Traffic Control 5.1.x users should upgrade to 5.1.3 or 6.0.0. 4.1.x users should upgrade to 5.1.3."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"description": "Email Injection Vulnerability", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-10-13T23:06:11", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/re384fd0f44c6d230f31376153c6e8b59e4a669f927c1533d06d702af%40%3Cdev.trafficcontrol.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/rf0481b9e38ece1ece458d3ce7b2d671df819e3555597f31fc34f084e%40%3Ccommits.trafficcontrol.apache.org%3E"}, {"name": "[oss-security] 20211012 CVE-2021-42009: Apache Traffic Control Arbitrary Email Content Insertion in /deliveryservices/request", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/10/12/1"}, {"name": "[trafficcontrol-dev] 20211013 Re: CVE-2021-42009: Apache Traffic Control Arbitrary Email Content Insertion in /deliveryservices/request", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r78d471d8a4fd268a4c5ae6c47327c09d9d4b4467c31da2c97422febb%40%3Cdev.trafficcontrol.apache.org%3E"}, {"name": "[announce] 20211013 Re: CVE-2021-42009: Apache Traffic Control Arbitrary Email Content Insertion in /deliveryservices/request", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r7dfa9a89b39d06caeeeb7b5cdc41b3493a9b86cc6cfa059d3f349d87%40%3Cannounce.apache.org%3E"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Traffic Control Traffic Ops Email Injection Vulnerability", "workarounds": [{"lang": "en", "value": "5.1.x users should upgrade to 5.1.3 or 6.0.0.\n4.1.x users should upgrade to 5.1.3."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-42009", "STATE": "PUBLIC", "TITLE": "Apache Traffic Control Traffic Ops Email Injection Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Traffic Control", "version": {"version_data": [{"version_affected": ">=", "version_name": "Apache Traffic Control", "version_value": "4.0.0"}, {"version_affected": ">=", "version_name": "Apache Traffic Control", "version_value": "5.0.0"}, {"version_affected": "<=", "version_name": "Apache Traffic Control", "version_value": "5.1.2 +1"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "This issue was discovered by GitHub's CodeQL code scanning service."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the /deliveryservices/request Traffic Ops endpoint to send an email, from the Traffic Ops server, with an arbitrary body to an arbitrary email address. Apache Traffic Control 5.1.x users should upgrade to 5.1.3 or 6.0.0. 4.1.x users should upgrade to 5.1.3."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}, {"description": [{"lang": "eng", "value": "Email Injection Vulnerability"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/re384fd0f44c6d230f31376153c6e8b59e4a669f927c1533d06d702af%40%3Cdev.trafficcontrol.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/re384fd0f44c6d230f31376153c6e8b59e4a669f927c1533d06d702af%40%3Cdev.trafficcontrol.apache.org%3E"}, {"name": "https://lists.apache.org/thread.html/rf0481b9e38ece1ece458d3ce7b2d671df819e3555597f31fc34f084e%40%3Ccommits.trafficcontrol.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/rf0481b9e38ece1ece458d3ce7b2d671df819e3555597f31fc34f084e%40%3Ccommits.trafficcontrol.apache.org%3E"}, {"name": "[oss-security] 20211012 CVE-2021-42009: Apache Traffic Control Arbitrary Email Content Insertion in /deliveryservices/request", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/10/12/1"}, {"name": "[trafficcontrol-dev] 20211013 Re: CVE-2021-42009: Apache Traffic Control Arbitrary Email Content Insertion in /deliveryservices/request", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r78d471d8a4fd268a4c5ae6c47327c09d9d4b4467c31da2c97422febb@%3Cdev.trafficcontrol.apache.org%3E"}, {"name": "[announce] 20211013 Re: CVE-2021-42009: Apache Traffic Control Arbitrary Email Content Insertion in /deliveryservices/request", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r7dfa9a89b39d06caeeeb7b5cdc41b3493a9b86cc6cfa059d3f349d87@%3Cannounce.apache.org%3E"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "5.1.x users should upgrade to 5.1.3 or 6.0.0.\n4.1.x users should upgrade to 5.1.3."}]}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-42009", "datePublished": "2021-10-12T07:40:11", "dateReserved": "2021-10-05T00:00:00", "dateUpdated": "2021-10-13T23:06:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:traffic_control:*:*:*:*:*:*:*:*", "matchCriteriaId": "D16F6223-EF15-4B1C-B9BC-5410F662991C", "versionEndExcluding": "5.1.3", "versionStartIncluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the /deliveryservices/request Traffic Ops endpoint to send an email, from the Traffic Ops server, with an arbitrary body to an arbitrary email address. Apache Traffic Control 5.1.x users should upgrade to 5.1.3 or 6.0.0. 4.1.x users should upgrade to 5.1.3."}, {"lang": "es", "value": "Un usuario autenticado de Apache Traffic Control Traffic Ops con privilegios de nivel de portal puede enviar una petici\u00f3n con un asunto de correo electr\u00f3nico especialmente dise\u00f1ado al endpoint /deliveryservices/request Traffic Ops para enviar un correo electr\u00f3nico, desde el servidor Traffic Ops, con un cuerpo arbitrario a una direcci\u00f3n de correo electr\u00f3nico arbitraria. Los usuarios de Apache Traffic Control versiones 5.1.x deben actualizar a la versi\u00f3n 5.1.3 o 6.0.0. Los usuarios de la versi\u00f3n 4.1.x deben actualizar a la versi\u00f3n 5.1.3"}], "id": "CVE-2021-42009", "lastModified": "2023-11-07T03:39:05.567", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-10-12T08:15:06.920", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/10/12/1"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r78d471d8a4fd268a4c5ae6c47327c09d9d4b4467c31da2c97422febb%40%3Cdev.trafficcontrol.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r7dfa9a89b39d06caeeeb7b5cdc41b3493a9b86cc6cfa059d3f349d87%40%3Cannounce.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/re384fd0f44c6d230f31376153c6e8b59e4a669f927c1533d06d702af%40%3Cdev.trafficcontrol.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/rf0481b9e38ece1ece458d3ce7b2d671df819e3555597f31fc34f084e%40%3Ccommits.trafficcontrol.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@apache.org", "type": "Secondary"}]}