CRITICAL🇵🇱 Wersja polska

CVE-2024-45387

CVSS 9.9v3.1pub. 2024-12-23upd. 2025-02-11

An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request. Users are recommended to upgrade to version Apache Traffic Control 8.0.2 if you run an affected version of Traffic Ops.

🤖 AI Analysis
How it works

An attacker with an account holding one of the following roles: 'admin', 'federation', 'operations', 'portal' or 'steering' can send a specially crafted HTTP PUT request to Traffic Ops. Improper input validation (CWE-89) and insufficient access control (CWE-285) allow injection of arbitrary SQL code, which is executed directly on the database. The attack does not require interaction from another user and can be conducted remotely over the network.

Impact

An attacker can read, modify, or delete any data in the Traffic Ops database, leading to complete breach of confidentiality, integrity, and availability of the CDN management system. The scope of the attack extends beyond the application context itself (Scope: Changed), meaning potential impact on dependent infrastructure.

Mitigation & patch

Apache Traffic Control should be updated to version 8.0.2, which contains a patch eliminating the vulnerability. If immediate update is not possible, it is recommended to restrict network access to the Traffic Ops interface to trusted hosts only and audit accounts holding the following roles: 'admin', 'federation', 'operations', 'portal' and 'steering'.

Who is affected

Apache Traffic Control in versions 8.0.0 and 8.0.1 (Traffic Ops component)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Apache Traffic Control

    APP
    Apache
    8.0.0 – 8.0.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2021-43350CRITICAL9.8ten sam produkt

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted usernam...

CVE-2019-12405CRITICAL9.8ten sam produkt

Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for ...

CVE-2025-61581HIGH7.5ten sam produkt

** UNSUPPORTED WHEN ASSIGNED ** Inefficient Regular Expression Complexity vulnerability in Apache Traffic Cont...

CVE-2022-23206HIGH7.5ten sam produkt

In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops ...

CVE-2017-7670HIGH7.5ten sam produkt

The Traffic Router component of the incubating Apache Traffic Control project is vulnerable to a Slowloris sty...