Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <e3440ff4-7ec6-0d54-ec56-ce900631bbf4@apache.org>
Date: Mon, 23 Dec 2024 15:02:31 +0000
From: Eric Friedrich <friede@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-45387: Apache Traffic Control: SQL Injection in Traffic
 Ops endpoint PUT deliveryservice_request_comments 

Affected versions:

- Apache Traffic Control 8.0.0 through 8.0.1
- Apache Traffic Control 7.0.0 before 8.0.0 unaffected

Description:

An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request.

Users are recommended to upgrade to version Apache Traffic Control 8.0.2 if you run an affected version of Traffic Ops.

Credit:

Yuan Luo from Tencent YunDing Security Lab (reporter)

References:

https://trafficcontrol.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-45387

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.