Apache Traffic Control Vulnerability Let Attackers Inject Malicious SQL Commands

0
14
Apache Traffic Control Vulnerability Let Attackers Inject Malicious SQL Commands

A critical SQL injection vulnerability, identified as CVE-2024-45387, has been discovered in Apache Traffic Control, a widely used open-source platform for managing large-scale content delivery networks (CDNs).

This vulnerability affects versions 8.0.0 through 8.0.1 of the software and has been assigned a CVSS score of 9.9, indicating its severe impact on system confidentiality, integrity, and availability.

The flaw resides in the Traffic Ops component of Apache Traffic Control. Specifically, it allows a privileged user with roles such as “admin,” “federation,” “operations,” “portal,” or “steering” to execute arbitrary SQL commands against the underlying database by sending a specially-crafted PUT request to the deliveryservice_request_comments endpoint.

This improper neutralization of special elements in SQL commands is classified under CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’).

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Exploitation of this vulnerability could have devastating consequences, including:

  • Unauthorized access…

Read More…

LEAVE A REPLY

Please enter your comment!
Please enter your name here