Walkerxiong

**Name of the Vulnerable Software and Affected Versions** Apache Traffic Control Traffic Ops versions prior to 6.1.0 Apache Traffic Control Traffic Ops versions prior to 5.1.6 **Description** The issue allows an unprivileged user who can reach Traffic Ops over HTTPS to send a specially-crafted POST request to "/user/login/oauth" to scan a port of a server that Traffic Ops can reach. This is a case of Server-Side Request Forgery. **Recommendations** For versions prior to 6.1.0, update to version 6.1.0 or later. For versions prior to 5.1.6, update to version 5.1.6 or later. As a temporary workaround, consider restricting access to the "/user/login/oauth" endpoint until a patch is available.