Go modules package

github.com/apache/trafficcontrol

pkg:golang/github.com/apache/trafficcontrol

Vulnerabilities (6)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2022-23206		—	>= 6.0.0, < 6.1.0	6.1.0	Feb 6, 2022	In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.
CVE-2021-43350		—	>= 6.0.0, < 6.0.1	6.0.1	Nov 11, 2021	An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.
CVE-2021-42009		—	< 5.1.3	5.1.3	Oct 12, 2021	An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the /deliveryservices/request Traffic Ops endpoint to send an email, from the Traffic Ops server, with an arbitrary body to an arbitr
CVE-2020-17522		—	< 5.0.0	5.0.0	Jan 26, 2021	When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these p
CVE-2019-12405		—	>= 3.0.0, < 3.0.2-RC1	3.0.2-RC1	Sep 9, 2019	Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without tha
CVE-2017-7670	Hig	7.5	>= 1.1.4, < 1.8.1	1.8.1	Jul 10, 2017	The Traffic Router component of the incubating Apache Traffic Control project is vulnerable to a Slowloris style Denial of Service attack. TCP connections made on the configured DNS port will remain in the ESTABLISHED state until the client explicitly closes the connection or Tra

CVE-2022-23206Feb 6, 2022
affected >= 6.0.0, < 6.1.0fixed 6.1.0
In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.
CVE-2021-43350Nov 11, 2021
affected >= 6.0.0, < 6.0.1fixed 6.0.1
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.
CVE-2021-42009Oct 12, 2021
affected < 5.1.3fixed 5.1.3
An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the /deliveryservices/request Traffic Ops endpoint to send an email, from the Traffic Ops server, with an arbitrary body to an arbitr
CVE-2020-17522Jan 26, 2021
affected < 5.0.0fixed 5.0.0
When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these p
CVE-2019-12405Sep 9, 2019
affected >= 3.0.0, < 3.0.2-RC1fixed 3.0.2-RC1
Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without tha
CVE-2017-7670HigJul 10, 2017
affected >= 1.1.4, < 1.8.1fixed 1.8.1
The Traffic Router component of the incubating Apache Traffic Control project is vulnerable to a Slowloris style Denial of Service attack. TCP connections made on the configured DNS port will remain in the ESTABLISHED state until the client explicitly closes the connection or Tra