CVE-2021-42009

Improper Input Validation in go/github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/login

Identifiers

CVE-2021-42009

Package Slug

go/github.com/apache/trafficcontrol/trafficops/trafficops_golang/login

Vulnerability

Improper Input Validation

Description

An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the /deliveryservices/request Traffic Ops endpoint to send an email, from the Traffic Ops server, with an arbitrary body to an arbitrary email address.

Affected Versions

All versions starting from 4.1.0 before 5.1.3

Solution

Upgrade to version 5.1.3 or above.

Last Modified

2021-10-20

source