Improper input validation in Apache Traffic Control



Published: 2021-10-12
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2021-42009
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Apache Traffic Control
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor Apache Foundation

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Input validation error

EUVDB-ID: #VU57218

Risk: Low

CVSSv3.1: 3.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-42009

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote user to inject arbitrary content into emails.

The vulnerability exists due to insufficient validation of user-supplied input send to the /deliveryservices/request Traffic Ops API endpoint. A remote user can send a specially crafted request to the affected API endpoint and inject arbitrary content into email messages.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Apache Traffic Control: 3.0.0 - 5.1.3

External links

http://github.com/apache/trafficcontrol/releases/tag/RELEASE-6.0.0


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###