VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 12, 2021· Updated Aug 4, 2024

Apache Traffic Control Traffic Ops Email Injection Vulnerability

CVE-2021-42009

Description

An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send an email with arbitrary content to an arbitrary recipient via the /deliveryservices/request endpoint.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send an email with arbitrary content to an arbitrary recipient via the /deliveryservices/request endpoint.

Vulnerability

An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a crafted request to the /deliveryservices/request endpoint. By providing a specially-crafted email subject, the attacker can cause the Traffic Ops server to send an email with an arbitrary body to an arbitrary email address. This vulnerability affects Apache Traffic Control versions 4.1.x and 5.1.x prior to 5.1.3 [1][2].

Exploitation

An attacker must have a valid authenticated session as a Traffic Ops user with Portal-level privileges. No additional privileges or network access beyond the standard API endpoint are required. The attacker sends a POST request to /deliveryservices/request with a maliciously crafted email subject field. The server then sends an email with attacker-controlled body content to an attacker-specified recipient address [1][2].

Impact

Successful exploitation allows the attacker to send arbitrary email messages from the Traffic Ops server infrastructure. This can be used for phishing attacks, spamming, or reputational damage, as the email originates from a trusted internal server. The vulnerability does not directly compromise data confidentiality or integrity on the server, but enables social engineering attacks against recipients [1][2].

Mitigation

Users of Apache Traffic Control 5.1.x should upgrade to version 5.1.3 or later. Users of 4.1.x should upgrade to version 5.1.3 or later. The fix was released on October 12, 2021. There is no known workaround for unpatched versions. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].

References
  1. NVD - CVE-2021-42009
  2. security - CVE-2021-42009: Apache Traffic Control Arbitrary Email Content Insertion in /deliveryservices/request

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/apache/trafficcontrolGo
< 5.1.35.1.3

Affected products

2

Patches

1
a52ae6cda73e

Version Bump

https://github.com/apache/incubator-trafficcontrolocket8888Oct 5, 2021via osv
commit
9 files changed · +9 9
  • traffic_router/build/pom.xml+1 1 modified
    @@ -22,7 +22,7 @@
 	<parent>
 		<groupId>com.comcast.cdn.traffic_control.traffic_router</groupId>
 		<artifactId>traffic_router</artifactId>
-		<version>5.0.0</version>
+		<version>5.1.3</version>
 	</parent>
 
 	<scm>
  • traffic_router/configuration/pom.xml+1 1 modified
    @@ -25,7 +25,7 @@ under the License.
 	<parent>
 		<artifactId>traffic_router</artifactId>
 		<groupId>com.comcast.cdn.traffic_control.traffic_router</groupId>
-		<version>5.0.0</version>
+		<version>5.1.3</version>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>
  • traffic_router/connector/pom.xml+1 1 modified
    @@ -19,7 +19,7 @@
 	<parent>
 		<groupId>com.comcast.cdn.traffic_control.traffic_router</groupId>
 		<artifactId>traffic_router</artifactId>
-        <version>5.0.0</version>
+        <version>5.1.3</version>
 	</parent>
 
 	<artifactId>traffic_router_connector</artifactId>
  • traffic_router/core/pom.xml+1 1 modified
    @@ -18,7 +18,7 @@
 	<parent>
 		<groupId>com.comcast.cdn.traffic_control.traffic_router</groupId>
 		<artifactId>traffic_router</artifactId>
-		<version>5.0.0</version>
+		<version>5.1.3</version>
 	</parent>
 
 	<artifactId>ROOT</artifactId>
  • traffic_router/geolocation/pom.xml+1 1 modified
    @@ -25,7 +25,7 @@ under the License.
 	<parent>
 		<artifactId>traffic_router</artifactId>
 		<groupId>com.comcast.cdn.traffic_control.traffic_router</groupId>
-		<version>5.0.0</version>
+		<version>5.1.3</version>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>
  • traffic_router/neustar/pom.xml+1 1 modified
    @@ -25,7 +25,7 @@ under the License.
 	<parent>
 		<artifactId>traffic_router</artifactId>
 		<groupId>com.comcast.cdn.traffic_control.traffic_router</groupId>
-		<version>5.0.0</version>
+		<version>5.1.3</version>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>
  • traffic_router/pom.xml+1 1 modified
    @@ -18,7 +18,7 @@
 
 	<artifactId>traffic_router</artifactId>
 	<groupId>com.comcast.cdn.traffic_control.traffic_router</groupId>
-	<version>5.0.0</version>
+	<version>5.1.3</version>
 	<packaging>pom</packaging>
 	<name>traffic_router</name>
  • traffic_router/shared/pom.xml+1 1 modified
    @@ -25,7 +25,7 @@ under the License.
 	<parent>
 		<artifactId>traffic_router</artifactId>
 		<groupId>com.comcast.cdn.traffic_control.traffic_router</groupId>
-		<version>5.0.0</version>
+		<version>5.1.3</version>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>
  • VERSION+1 1 modified
    @@ -1 +1 @@
-5.1.2
+5.1.3

Vulnerability mechanics

Root cause

"Missing input validation on the email subject field in the /deliveryservices/request endpoint allows an authenticated attacker to inject arbitrary email body content and recipient addresses."

Attack vector

An attacker must first authenticate as a Traffic Ops user with Portal-level privileges. The attacker then sends a crafted request to the `/deliveryservices/request` endpoint with a specially-crafted email subject. The server processes this input without proper sanitization, allowing the attacker to inject an arbitrary email body and specify an arbitrary recipient email address. The email is then sent from the Traffic Ops server to the attacker-chosen address with attacker-controlled content. This enables phishing, spam relay, or information disclosure via the email body.

Affected code

The vulnerability resides in the `/deliveryservices/request` endpoint of Apache Traffic Control's Traffic Ops component. The patch provided only bumps version numbers across `traffic_router/pom.xml` files and the `VERSION` file from 5.1.2 to 5.1.3, but does not show the actual code fix for the email injection flaw. The advisory indicates that an authenticated user with Portal-level privileges can exploit this endpoint to send emails with arbitrary body content to arbitrary addresses.

What the fix does

The supplied patch [patch_id=1666585] only updates version numbers from 5.1.2 to 5.1.3 across multiple `pom.xml` files and the `VERSION` file; it does not contain the actual security fix. Based on the advisory, the real fix would involve adding input validation and sanitization to the `/deliveryservices/request` endpoint to prevent injection of arbitrary email body content and recipient addresses. The version bump indicates that the fix was included in release 5.1.3.

Preconditions

  • authAttacker must have a valid authenticated session as a Traffic Ops user with Portal-level privileges.
  • networkThe attacker must be able to reach the Traffic Ops /deliveryservices/request endpoint over the network.
  • inputThe attacker must craft a request with a specially-crafted email subject to inject arbitrary body and recipient.

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.