Server-Side Request Forgery in Traffic Ops endpoint POST /user/login/oauth
Description
An unprivileged attacker can scan internal ports via a crafted POST request to Traffic Ops OAuth login endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unprivileged attacker can scan internal ports via a crafted POST request to Traffic Ops OAuth login endpoint.
Vulnerability
In Apache Traffic Control Traffic Ops prior to version 6.1.0 or 5.1.6, the /user/login/oauth endpoint does not properly validate the target of a POST request. An unprivileged user can send a specially-crafted request to cause Traffic Ops to attempt a connection to an arbitrary server and port, effectively enabling port scanning of internal hosts reachable by Traffic Ops [1].
Exploitation
An attacker with network access to Traffic Ops over HTTPS (no authentication required) sends a POST request to /user/login/oauth with crafted parameters. The response timing or error message reveals whether the target port is open, allowing the attacker to scan ports on servers that Traffic Ops can reach [1].
Impact
Successful exploitation allows the attacker to perform network reconnaissance, mapping open ports on internal servers accessible by Traffic Ops. This is an information disclosure vulnerability that can aid further attacks [1].
Mitigation
Upgrade to Apache Traffic Control version 6.1.0 or 5.1.6 (for the 5.x branch) to remediate the issue. No workaround is available. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/apache/trafficcontrolGo | >= 6.0.0, < 6.1.0 | 6.1.0 |
github.com/apache/trafficcontrolGo | < 5.1.6 | 5.1.6 |
Affected products
2- Range: Traffic Ops
Patches
2bc8bde525246Remove go.mod to make v6.1.0 importable
1 file changed · +0 −81
go.mod+0 −81 removed@@ -1,81 +0,0 @@ -module github.com/apache/trafficcontrol - -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -go 1.17 - -require ( - code.cloudfoundry.org/bytefmt v0.0.0-20211005130812-5bb3c17173e5 - github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962 - github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d - github.com/basho/riak-go-client v1.7.1-0.20170327205844-5587c16e0b8b - github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575 - github.com/dchest/siphash v1.2.2 - github.com/dgrijalva/jwt-go v3.2.1-0.20190620180102-5e25c22bd5d6+incompatible - github.com/fsnotify/fsnotify v1.5.1 - github.com/go-acme/lego v2.7.2+incompatible - github.com/go-ldap/ldap/v3 v3.4.1 - github.com/go-ozzo/ozzo-validation v3.6.0+incompatible - github.com/gofrs/flock v0.8.1 - github.com/golang-migrate/migrate/v4 v4.15.1 - github.com/google/uuid v1.3.0 - github.com/hydrogen18/stoppableListener v0.0.0-20161101122645-827d760f0663 - github.com/influxdata/influxdb v1.9.5 - github.com/jmoiron/sqlx v1.3.4 - github.com/json-iterator/go v1.1.12 - github.com/kelseyhightower/envconfig v1.4.0 - github.com/kylelemons/godebug v1.1.1-0.20201107061927-e693023230a4 - github.com/lestrrat-go/jwx v1.2.12 - github.com/lib/pq v1.10.4 - github.com/miekg/dns v1.1.43 - github.com/onsi/ginkgo v1.16.5 - github.com/onsi/gomega v1.17.0 - github.com/pborman/getopt/v2 v2.1.0 - github.com/pkg/errors v0.9.1 - go.etcd.io/bbolt v1.3.6 - golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 - golang.org/x/net v0.0.0-20220105145211-5b0dc2dfae98 - golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e - gopkg.in/DATA-DOG/go-sqlmock.v1 v1.3.0 - gopkg.in/yaml.v2 v2.4.0 -) - -require ( - github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c // indirect - github.com/basho/backoff v0.0.0-20150307023525-2ff7c4694083 // indirect - github.com/cenkalti/backoff v2.2.1+incompatible // indirect - github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d // indirect - github.com/go-asn1-ber/asn1-ber v1.5.1 // indirect - github.com/goccy/go-json v0.7.10 // indirect - github.com/golang/protobuf v1.5.2 // indirect - github.com/hashicorp/errwrap v1.0.0 // indirect - github.com/hashicorp/go-multierror v1.1.0 // indirect - github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect - github.com/lestrrat-go/blackmagic v1.0.0 // indirect - github.com/lestrrat-go/httpcc v1.0.0 // indirect - github.com/lestrrat-go/iter v1.0.1 // indirect - github.com/lestrrat-go/option v1.0.0 // indirect - github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect - github.com/modern-go/reflect2 v1.0.2 // indirect - github.com/nxadm/tail v1.4.8 // indirect - go.uber.org/atomic v1.6.0 // indirect - golang.org/x/text v0.3.7 // indirect - google.golang.org/protobuf v1.27.1 // indirect - gopkg.in/square/go-jose.v2 v2.5.1 // indirect - gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect -)
4fa2f3523183RELEASE: Syncing VERSION file
1 file changed · +1 −1
VERSION+1 −1 modified@@ -1 +1 @@ -5.1.5 +5.1.6
Vulnerability mechanics
Root cause
"The /user/login/oauth endpoint accepts attacker-controlled server addresses or ports without proper validation, allowing an unauthenticated attacker to probe internal network services reachable by Traffic Ops."
Attack vector
An unprivileged attacker who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to the `/user/login/oauth` endpoint. The advisory does not specify the exact payload shape, but the endpoint appears to accept attacker-controlled server addresses or ports. By manipulating these parameters, the attacker can induce Traffic Ops to connect to arbitrary internal hosts and ports, effectively performing a port scan of servers that Traffic Ops can reach. No authentication is required to trigger this behavior.
Affected code
The patches provided only update the VERSION file (from 5.1.5 to 5.1.6) and remove the go.mod file. Neither patch contains any code changes to the authentication or OAuth login handler. The advisory indicates the vulnerability exists in the Traffic Ops component, specifically in the `/user/login/oauth` endpoint, but the supplied patches do not show the actual fix for the SSRF-like port scanning issue.
What the fix does
The supplied patches do not contain the actual security fix. Patch [patch_id=1666581] simply bumps the VERSION file from 5.1.5 to 5.1.6, marking the release that includes the fix. Patch [patch_id=1666582] removes the go.mod file to make the v6.1.0 module importable. The advisory states that versions prior to 6.1.0 or 5.1.6 are vulnerable, meaning the real fix was applied in a different commit not included in this bundle.
Preconditions
- networkAttacker must be able to reach Traffic Ops over HTTPS.
- authNo authentication or privileges required.
- inputAttacker must be able to send a POST request to /user/login/oauth.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-wp47-9r3h-xfgqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23206ghsaADVISORY
- lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126fghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.