Severity

Medium

Analysis Summary

CVE-2020-17522

Apache Traffic Control could allow a remote attacker to bypass security restrictions, caused by improper permission assignment when generating ip_allow.config. By sending a specially-crafted request, an attacker could exploit this vulnerability to push arbitrary content into and remove arbitrary content from CDN cache servers.

Impact

Security bypass

Affected Vendors

Apache

Affected Products

• Apache Traffic Control 3.0.0
• Apache Traffic Control 3.1.0
• Apache Traffic Control 4.0.0
• Apache Traffic Control 4.1.0

Remediation

Upgrade to the latest version of Traffic Control (4.1.1, 5.0.0 or later)