In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/apache/trafficcontrol(Go) | 6.0.0 | 6.1.0 | N/A |
| github.com/apache/trafficcontrol(Go) | 0 | 5.1.6 | N/A |
CVSS Metrics
