CVE-2021-42009

Apache Traffic Control Traffic Ops Email Injection Vulnerability

EPSS 2.7%CWE-20

Vexday Risk Score

3Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS —EPSS 2.7%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

12 oct 2021Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the /deliveryservices/request Traffic Ops endpoint to send an email, from the Traffic Ops server, with an arbitrary body to an arbitrary email address. Apache Traffic Control 5.1.x users should upgrade to 5.1.3 or 6.0.0. 4.1.x users should upgrade to 5.1.3.

Productos afectados

Apache Software Foundation · Apache Traffic Control

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://lists.apache.org/thread.html/r78d471d8a4fd268a4c5ae6c47327c09d9d4b4467c31da2c97422febb%40%3Cdev.trafficcontrol.apache.org%3E https://lists.apache.org/thread.html/r7dfa9a89b39d06caeeeb7b5cdc41b3493a9b86cc6cfa059d3f349d87%40%3Cannounce.apache.org%3E https://lists.apache.org/thread.html/re384fd0f44c6d230f31376153c6e8b59e4a669f927c1533d06d702af%40%3Cdev.trafficcontrol.apache.org%3E https://lists.apache.org/thread.html/rf0481b9e38ece1ece458d3ce7b2d671df819e3555597f31fc34f084e%40%3Ccommits.trafficcontrol.apache.org%3E http://www.openwall.com/lists/oss-security/2021/10/12/1