Apache Traffic Control

Do you want an email whenever new security vulnerabilities are reported in Apache Traffic Control?

By the Year

In 2024 there have been 0 vulnerabilities in Apache Traffic Control . Traffic Control did not have any published security vulnerabilities last year.

Year	Vulnerabilities	Average Score
2024	0	0.00
2023	0	0.00
2022	1	7.50
2021	3	6.63
2020	0	0.00
2019	1	9.80
2018	0	0.00

It may take a day or so for new Traffic Control vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Traffic Control Security Vulnerabilities

In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server

CVE-2022-23206 7.5 - High - February 06, 2022

In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.

XSPA

An unauthenticated Apache Traffic Control Traffic Ops user

CVE-2021-43350 9.8 - Critical - November 11, 2021

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.

Injection

An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the /deliveryservices/request Traffic Ops endpoint to send an email

CVE-2021-42009 4.3 - Medium - October 12, 2021

An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the /deliveryservices/request Traffic Ops endpoint to send an email, from the Traffic Ops server, with an arbitrary body to an arbitrary email address. Apache Traffic Control 5.1.x users should upgrade to 5.1.3 or 6.0.0. 4.1.x users should upgrade to 5.1.3.

Improper Input Validation

When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions

CVE-2020-17522 5.8 - Medium - January 26, 2021

When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.

Incorrect Permission Assignment for Critical Resource

Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component

CVE-2019-12405 9.8 - Critical - September 09, 2019

Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without that user's correct password.

authentification

The Traffic Router component of the incubating Apache Traffic Control project is vulnerable to a Slowloris style Denial of Service attack

CVE-2017-7670 7.5 - High - July 10, 2017

The Traffic Router component of the incubating Apache Traffic Control project is vulnerable to a Slowloris style Denial of Service attack. TCP connections made on the configured DNS port will remain in the ESTABLISHED state until the client explicitly closes the connection or Traffic Router is restarted. If connections remain in the ESTABLISHED state indefinitely and accumulate in number to match the size of the thread pool dedicated to processing DNS requests, the thread pool becomes exhausted. Once the thread pool is exhausted, Traffic Router is unable to service any DNS request, regardless of transport protocol.

Resource Exhaustion

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Apache Traffic Control or by Apache? Click the Watch button to subscribe.

Apache
Vendor

Apache Traffic Control
Product

Apache Traffic Control

By the Year

Recent Apache Traffic Control Security Vulnerabilities

In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server CVE-2022-23206 7.5 - High - February 06, 2022

An unauthenticated Apache Traffic Control Traffic Ops user CVE-2021-43350 9.8 - Critical - November 11, 2021

An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the /deliveryservices/request Traffic Ops endpoint to send an email CVE-2021-42009 4.3 - Medium - October 12, 2021

When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions CVE-2020-17522 5.8 - Medium - January 26, 2021

Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component CVE-2019-12405 9.8 - Critical - September 09, 2019

The Traffic Router component of the incubating Apache Traffic Control project is vulnerable to a Slowloris style Denial of Service attack CVE-2017-7670 7.5 - High - July 10, 2017