You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Zach Hoffman <zr...@apache.org> on 2021/11/16 20:42:24 UTC

Re: CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops

CORRECTION:
This issue was discovered by Apache Traffic Control user zhouxufeng@bytedance.com.

On Thu, 2021-11-11 at 20:53 +0000, Zach Hoffman wrote:
> Severity: critical
> 
> Description:
> 
> An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.
> 
> Mitigation:
> 
> 6.0.x users should upgrade to 6.0.1.
> 5.1.x users should upgrade to 5.1.4.
> 
> Credit:
> 
> This issue was discovered by Apache Traffic Control user pupiles.
> 
> References:
> 
> https://trafficcontrol.apache.org/security/
>