Input validation error in Apache Traffic Control

#VU57218 Input validation error in Apache Traffic Control

Published: 2021-10-12

Vulnerability identifier: #VU57218

Vulnerability risk: Low

CVSSv3.1: 3.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-42009

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Traffic Control
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote user to inject arbitrary content into emails.

The vulnerability exists due to insufficient validation of user-supplied input send to the /deliveryservices/request Traffic Ops API endpoint. A remote user can send a specially crafted request to the affected API endpoint and inject arbitrary content into email messages.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Traffic Control: 3.0.0 - 5.1.3

External links
http://github.com/apache/trafficcontrol/releases/tag/RELEASE-6.0.0

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper input validation in Apache Traffic Control