A critical SQL injection vulnerability, identified as CVE-2024-45387, has been discovered in Apache Traffic Control, a widely used open-source platform for managing large-scale content delivery networks (CDNs).
This vulnerability affects versions 8.0.0 through 8.0.1 of the software and has been assigned a CVSS score of 9.9, indicating its severe impact on system confidentiality, integrity, and availability.
The flaw resides in the Traffic Ops component of Apache Traffic Control. Specifically, it allows a privileged user with roles such as “admin,” “federation,” “operations,” “portal,” or “steering” to execute arbitrary SQL commands against the underlying database by sending a specially-crafted PUT request to the deliveryservice_request_comments endpoint.
This improper neutralization of special elements in SQL commands is classified under CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’).
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
Exploitation of this vulnerability could have devastating consequences, including:
- Unauthorized access…
