You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Zach Hoffman <zr...@apache.org> on 2021/11/11 20:53:32 UTC
CVE-2021-43350: Apache Traffic Control: LDAP filter injection
vulnerability in Traffic Ops
Severity: critical
Description:
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.
Mitigation:
6.0.x users should upgrade to 6.0.1.
5.1.x users should upgrade to 5.1.4.
Credit:
This issue was discovered by Apache Traffic Control user pupiles.
References:
https://trafficcontrol.apache.org/security/
[#NBY-773-52075]: CVE-2021-43350: Apache Traffic Control: LDAP filter
injection vulnerability in Traffic Ops
Posted by AARDEX Group <in...@medamigo.com>.
Hello,
Thank you for your interest in AARDEX Group products and services. We are processing your inquiry and a member of our staff will review and reply shortly.
If you have any additional information that you think will help us to assist you, please feel free to reply to this email.
AARDEX Team
https://www.aardexgroup.com
Re: CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops
Posted by Zach Hoffman <zr...@apache.org>.
CORRECTION:
This issue was discovered by Apache Traffic Control user zhouxufeng@bytedance.com.
On Thu, 2021-11-11 at 20:53 +0000, Zach Hoffman wrote:
> Severity: critical
>
> Description:
>
> An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.
>
> Mitigation:
>
> 6.0.x users should upgrade to 6.0.1.
> 5.1.x users should upgrade to 5.1.4.
>
> Credit:
>
> This issue was discovered by Apache Traffic Control user pupiles.
>
> References:
>
> https://trafficcontrol.apache.org/security/
>
Re: CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops
Posted by Zach Hoffman <zr...@apache.org>.
CORRECTION:
This issue was discovered by Apache Traffic Control user zhouxufeng@bytedance.com.
On Thu, 2021-11-11 at 20:53 +0000, Zach Hoffman wrote:
> Severity: critical
>
> Description:
>
> An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.
>
> Mitigation:
>
> 6.0.x users should upgrade to 6.0.1.
> 5.1.x users should upgrade to 5.1.4.
>
> Credit:
>
> This issue was discovered by Apache Traffic Control user pupiles.
>
> References:
>
> https://trafficcontrol.apache.org/security/
>