Critical SQL injection flaw identified in Apache Traffic Control
Take action: This one seems to be a penalty for keeping your systems patched. The flaw exists only in the two latest versions (8.0.0 to 8.0.1), so if you are running an older version you are fine. For people on 8.0.x track, plan to patch the system soon. It's not a panic mode flaw since it requires authentication, but you shouldn't ignore it.
Learn More
A critical SQL injection vulnerability has been identified in Apache Traffic Control, allowing arbitrary SQL command execution.
Apache Traffic Control is an open-source tool for managing Content Delivery Networks (CDNs). It handles traffic routing, monitoring, and load balancing across distributed servers that deliver web content, videos, and other media to end users.
The flaw is tracked as CVE-2024-45387 (CVSS score 9.9), exploitable through specially-crafted PUT requests. The vulnerability exists in the Traffic Ops component.
- Requires authenticated user with one of these roles:
- admin
- federation
- operations
- portal
- steering
Affected versions are Apache Traffic Control 8.0.0 to 8.0.1. Versions before 8.0.0 are not affected
The vulnerability has been patched in Apache Traffic Control version 8.0.2. Users are strongly advised to upgrade to this version immediately.
