Описание
Server-Side Request Forgery in Apache Traffic Control
In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.
Пакеты
Наименование
github.com/apache/trafficcontrol
go
Затронутые версииВерсия исправления
>= 6.0.0, < 6.1.0
6.1.0
Наименование
github.com/apache/trafficcontrol
go
Затронутые версииВерсия исправления
< 5.1.6
5.1.6
Связанные уязвимости
CVSS3: 7.5
nvd
около 4 лет назад
In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.