You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Zach Hoffman <zr...@apache.org> on 2021/11/16 20:42:24 UTC
Re: CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops
CORRECTION:
This issue was discovered by Apache Traffic Control user zhouxufeng@bytedance.com.
On Thu, 2021-11-11 at 20:53 +0000, Zach Hoffman wrote:
> Severity: critical
>
> Description:
>
> An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.
>
> Mitigation:
>
> 6.0.x users should upgrade to 6.0.1.
> 5.1.x users should upgrade to 5.1.4.
>
> Credit:
>
> This issue was discovered by Apache Traffic Control user pupiles.
>
> References:
>
> https://trafficcontrol.apache.org/security/
>