Описание
ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol.
Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol.
This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10.
Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
A flaw was found in trafficserver. Access control lists (ACLs) configured within ip_allow.config or remap.config incorrectly utilize IP addresses, failing to account for those provided by the PROXY protocol. This can allow an attacker to bypass intended access restrictions by manipulating the source IP address presented via the PROXY protocol. This misconfiguration allows for unintended access based on a non-validated IP address.
Отчет
The severity is rated as Moderate because this vulnerability requires a specific, non-default configuration to be exploitable. Apache Traffic Server is primarily available in Red Hat environments through the Extra Packages for Enterprise Linux (EPEL) repository, which is community-supported. The impact is limited to environments where administrators have explicitly enabled and trusted the PROXY protocol for client IP information in their ACL configurations. This reduces the likelihood of broad impact across Red Hat products.
Меры по смягчению последствий
To mitigate this flaw use the new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol.
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol. This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol. This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
ACL configured in ip_allow.config or remap.config does not use IP addr ...
ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol. This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
Уязвимость веб-сервера Apache Traffic Server, связанная с недостатками разграничения доступа, позволяющая нарушителю оказать воздействие на конфиденциальность защищаемой информации
EPSS
6.5 Medium
CVSS3