CVE-2022-23206 - Vulnerability Details - OpenCVE

In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00865.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Traffic Control

Configuration 1 [-]

OR	cpe:2.3:a:apache:traffic_control::::::::
	cpe:2.3:a:apache:traffic_control::::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-1233	In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.
Github GHSA	GHSA-wp47-9r3h-xfgq	Server-Side Request Forgery in Apache Traffic Control

Fixes

Solution

No solution given by the vendor.

Workaround

6.0.x user should upgrade to 6.1.0. 5.1.x users should upgrade to 5.1.6 or 6.1.0.

References

Link	Providers
https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126f

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-02-06T15:15:10

Updated: 2024-08-03T03:36:20.177Z

Reserved: 2022-01-13T00:00:00

Link: CVE-2022-23206

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-02-06T16:15:07.593

Modified: 2024-11-21T06:48:12.553

Link: CVE-2022-23206

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Traffic Control", "vendor": "Apache Software Foundation", "versions": [{"changes": [{"at": "5.1.6", "status": "unaffected"}], "lessThan": "6.1.0", "status": "affected", "version": "Traffic Ops", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Apache Traffic Control would like to thank walkerxiong of SecCoder Security Lab for reporting this issue."}], "descriptions": [{"lang": "en", "value": "In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-06T15:15:10", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126f"}], "source": {"discovery": "UNKNOWN"}, "title": "Server-Side Request Forgery in Traffic Ops endpoint POST /user/login/oauth", "workarounds": [{"lang": "en", "value": "6.0.x user should upgrade to 6.1.0.\n5.1.x users should upgrade to 5.1.6 or 6.1.0."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2022-23206", "STATE": "PUBLIC", "TITLE": "Server-Side Request Forgery in Traffic Ops endpoint POST /user/login/oauth"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Traffic Control", "version": {"version_data": [{"version_affected": "<", "version_name": "Traffic Ops", "version_value": "6.1.0"}, {"version_affected": "<", "version_name": "Traffic Ops", "version_value": "5.1.6"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache Traffic Control would like to thank walkerxiong of SecCoder Security Lab for reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-918 Server-Side Request Forgery (SSRF)"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126f", "refsource": "MISC", "url": "https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126f"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "6.0.x user should upgrade to 6.1.0.\n5.1.x users should upgrade to 5.1.6 or 6.1.0."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:36:20.177Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126f"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-23206", "datePublished": "2022-02-06T15:15:10", "dateReserved": "2022-01-13T00:00:00", "dateUpdated": "2024-08-03T03:36:20.177Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:traffic_control:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2831474-61B4-4F7F-91BC-520068D6BBFF", "versionEndExcluding": "5.1.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:traffic_control:*:*:*:*:*:*:*:*", "matchCriteriaId": "64893710-A989-44B6-BEC6-A49B5287ACEE", "versionEndExcluding": "6.1.0", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach."}, {"lang": "es", "value": "En Apache Traffic Control Traffic Ops versiones anteriores a 6.1.0 o 5.1.6, un usuario no privilegiado que puede llegar a Traffic Ops a trav\u00e9s de HTTPS puede enviar una petici\u00f3n POST especialmente dise\u00f1ada a /user/login/oauth para escanear un puerto de un servidor al que Traffic Ops puede llegar"}], "id": "CVE-2022-23206", "lastModified": "2024-11-21T06:48:12.553", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-06T16:15:07.593", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126f"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}]}