Platform
go
Component
github.com/apache/trafficcontrol
Fixed in
5.1.6
6.1.0
6.1.0
5.1.6+incompatible
5.1.6+incompatible
CVE-2022-23206 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Apache Traffic Control. This flaw allows an attacker to manipulate the application into making requests to unintended internal or external resources, potentially exposing sensitive data or enabling further attacks. The vulnerability impacts versions of Apache Traffic Control prior to 5.1.6+incompatible, and a fix is available in that version.
The SSRF vulnerability in Apache Traffic Control allows an attacker to craft malicious requests that the Traffic Control server will execute on behalf of the attacker. This can lead to several serious consequences. An attacker could potentially access internal services that are not directly exposed to the internet, such as databases, configuration files, or other administrative interfaces. Furthermore, an attacker could use the SSRF vulnerability to scan internal networks, identify other vulnerable services, and potentially escalate their attack. The blast radius extends to any internal resources accessible via HTTP/HTTPS from the Traffic Control server.
CVE-2022-23206 was publicly disclosed on August 21, 2024. There is no indication of active exploitation at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the SSRF nature of the vulnerability makes it likely that exploits will emerge if the vulnerability remains unpatched.
Exploit Status
EPSS
0.84% (75% percentile)
CVSS Vector
The primary mitigation for CVE-2022-23206 is to upgrade Apache Traffic Control to version 5.1.6+incompatible or later. If upgrading immediately is not feasible, consider implementing temporary workarounds. Restrict network access to the Traffic Control server to only necessary IP addresses and ports. Implement strict input validation and sanitization to prevent attackers from crafting malicious URLs. Web Application Firewalls (WAFs) can be configured to block suspicious outgoing requests based on URL patterns and destination IP addresses. Monitor Traffic Control logs for unusual outbound requests.
Update Apache Traffic Control Traffic Ops to version 6.1.0 or higher, or to version 5.1.6 or higher. This corrects the Server-Side Request Forgery (SSRF) vulnerability in the /user/login/oauth endpoint.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-23206 is a Server-Side Request Forgery vulnerability in Apache Traffic Control, allowing attackers to make unauthorized requests. It has a CVSS score of 7.5 (HIGH).
You are affected if you are running Apache Traffic Control versions prior to 5.1.6+incompatible. Upgrade immediately to mitigate the risk.
Upgrade to version 5.1.6+incompatible or later. Implement temporary workarounds like restricting network access and input validation if immediate upgrade is not possible.
There is currently no indication of active exploitation, but the SSRF nature of the vulnerability makes it a potential target.
Refer to the Apache Traffic Control project's website and security mailing lists for the latest advisory and updates: https://trafficcontrol.apache.org/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.