PT-2021-23468 · Apache · Apache Traffic Control

Eric Friedrich

Published

2021-10-12

Updated

2024-08-21

CVE-2021-42009

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Apache Traffic Control versions 4.1.x through 5.1.x

Description An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the "/deliveryservices/request" Traffic Ops endpoint to send an email, from the Traffic Ops server, with an arbitrary body to an arbitrary email address.

Recommendations For Apache Traffic Control 4.1.x, upgrade to 5.1.3. For Apache Traffic Control 5.1.x, upgrade to 5.1.3 or 6.0.0.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2021-42009

GHSA-GW97-F6H8-GM94

GO-2022-0602

Affected Products

Apache Traffic Control

PT-2021-23468 · Apache · Apache Traffic Control

CVE-2021-42009

Weakness Enumeration

Related Identifiers

Affected Products

References · 14