CVE-2022-23206 - OpenCVE

In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Traffic Control

Configuration 1 [-]

OR	cpe:2.3:a:apache:traffic_control::::::::
	cpe:2.3:a:apache:traffic_control::::::::

References

Link	Resource
https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126f	Mailing List Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2022-02-06T15:15:10

Updated: 2022-02-06T15:15:10

Reserved: 2022-01-13T00:00:00

Link: CVE-2022-23206

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-02-06T16:15:07.593

Modified: 2022-02-11T03:16:26.443

Link: CVE-2022-23206

JSON object: View

Redhat Information

No data.

CWE

CWE-918

{"containers": {"cna": {"affected": [{"product": "Apache Traffic Control", "vendor": "Apache Software Foundation", "versions": [{"changes": [{"at": "5.1.6", "status": "unaffected"}], "lessThan": "6.1.0", "status": "affected", "version": "Traffic Ops", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Apache Traffic Control would like to thank walkerxiong of SecCoder Security Lab for reporting this issue."}], "descriptions": [{"lang": "en", "value": "In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-06T15:15:10", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126f"}], "source": {"discovery": "UNKNOWN"}, "title": "Server-Side Request Forgery in Traffic Ops endpoint POST /user/login/oauth", "workarounds": [{"lang": "en", "value": "6.0.x user should upgrade to 6.1.0.\n5.1.x users should upgrade to 5.1.6 or 6.1.0."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2022-23206", "STATE": "PUBLIC", "TITLE": "Server-Side Request Forgery in Traffic Ops endpoint POST /user/login/oauth"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Traffic Control", "version": {"version_data": [{"version_affected": "<", "version_name": "Traffic Ops", "version_value": "6.1.0"}, {"version_affected": "<", "version_name": "Traffic Ops", "version_value": "5.1.6"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache Traffic Control would like to thank walkerxiong of SecCoder Security Lab for reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-918 Server-Side Request Forgery (SSRF)"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126f", "refsource": "MISC", "url": "https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126f"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "6.0.x user should upgrade to 6.1.0.\n5.1.x users should upgrade to 5.1.6 or 6.1.0."}]}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-23206", "datePublished": "2022-02-06T15:15:10", "dateReserved": "2022-01-13T00:00:00", "dateUpdated": "2022-02-06T15:15:10", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:traffic_control:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2831474-61B4-4F7F-91BC-520068D6BBFF", "versionEndExcluding": "5.1.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:traffic_control:*:*:*:*:*:*:*:*", "matchCriteriaId": "64893710-A989-44B6-BEC6-A49B5287ACEE", "versionEndExcluding": "6.1.0", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach."}, {"lang": "es", "value": "En Apache Traffic Control Traffic Ops versiones anteriores a 6.1.0 o 5.1.6, un usuario no privilegiado que puede llegar a Traffic Ops a trav\u00e9s de HTTPS puede enviar una petici\u00f3n POST especialmente dise\u00f1ada a /user/login/oauth para escanear un puerto de un servidor al que Traffic Ops puede llegar"}], "id": "CVE-2022-23206", "lastModified": "2022-02-11T03:16:26.443", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-06T16:15:07.593", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126f"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@apache.org", "type": "Secondary"}]}