CVE-2022-23206

Summary

In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Traffic ControlTraffic Ops < 6.1.0affected

Weaknesses

  • CWE-918: CWE-918 Server-Side Request Forgery (SSRF)

Workarounds

6.0.x user should upgrade to 6.1.0. 5.1.x users should upgrade to 5.1.6 or 6.1.0.

ADP Enrichment

CVE Program Container

Additional References

References