Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/apache/trafficcontrol: GHSA-pw59-4qgf-jxr8 #702

Closed
GoVulnBot opened this issue Aug 1, 2022 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/apache/trafficcontrol: GHSA-pw59-4qgf-jxr8 #702

GoVulnBot opened this issue Aug 1, 2022 · 1 comment
Assignees
@neild
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-pw59-4qgf-jxr8, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/apache/trafficcontrol 5.0.0 < 5.0.0

See doc/triage.md for instructions on how to triage this report.

packages:
  - package: github.com/apache/trafficcontrol
    versions:
      - fixed: 5.0.0
description: When ORT (now via atstccfg) generates ip_allow.config files in Apache
    Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions
    that allow bad actors to push arbitrary content into and remove arbitrary content
    from CDN cache servers. Additionally, these permissions are potentially extended
    to IP addresses outside the desired range, resulting in them being granted to
    clients possibly outside the CDN arcitechture.
published: 2021-12-16T19:20:21Z
last_modified: 2022-04-12T22:17:55Z
cves:
  - CVE-2020-17522
ghsas:
  - GHSA-pw59-4qgf-jxr8
links:
    context:
      - https://github.com/advisories/GHSA-pw59-4qgf-jxr8
@neild neild added excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. and removed NeedsTriage labels Aug 22, 2022
@neild
Copy link
Contributor

neild commented Aug 22, 2022

Fix is in a Perl script.

@neild neild closed this as completed Aug 22, 2022
This was referenced Apr 24, 2024
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Dec 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@neild @zpavlinovic @rolandshoemaker @julieqiu @GoVulnBot