CVE-2020-17522: Cache Manipulation Attack in Apache Traffic Control
5.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.85691%
CWE
Published
6/18/2021
Updated
2/1/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/apache/trafficcontrol | go | < 5.0.0 | 5.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper handling of ip_allow.config updates in ORT. The commit diff shows critical changes to the process_cfg_file subroutine where a new guard clause was added to prevent ip_allow.config updates unless in 'badass' mode or with explicit syncds_updates_ipallow flag. Before this patch, the function lacked these safeguards, allowing unauthorized updates that could propagate insecure permissions. The direct modification of this function in the patch to add security checks indicates it was the source of the vulnerability.