Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2022-23206
CVE-2022-23206:
vulnerability analysis and mitigation
Overview
In Apache Traffic Control Traffic Ops prior to versions 6.1.0 or 5.1.6, a Server-Side Request Forgery (SSRF) vulnerability was identified. The vulnerability was discovered and assigned CVE-2022-23206, with the record being created on January 13, 2022, and publicly disclosed in February 2022 (CVE Details).
Technical details
The vulnerability exists in the /user/login/oauth endpoint of Traffic Ops. An unprivileged user with HTTPS access to Traffic Ops can send a specially-crafted POST request to the /user/login/oauth endpoint, which allows them to scan ports on servers that Traffic Ops can reach (NVD Report).
Impact
This vulnerability could allow attackers to perform unauthorized port scanning of internal systems that are accessible to the Traffic Ops server, potentially leading to network reconnaissance and discovery of additional attack vectors (Apache Advisory).
Mitigation and workarounds
Users are advised to upgrade Apache Traffic Control Traffic Ops to version 6.1.0 or 5.1.6 or later versions to address this vulnerability (CVE Details).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management