The Apache Software Foundation (ASF) has released updates to address a severe SQL injection vulnerability in Apache Traffic Control, identified as CVE-2024-45387. Facing a critical Common Vulnerability Scoring System (CVSS) score of 9.9, this flaw impacts the robust Traffic Control solution, which allows operators to establish scalable and distributed Content Delivery Networks (CDNs).

Affected Versions

Apache Traffic Control versions 8.0.0 to 8.0.1 are vulnerable, while versions prior to 7.0.0 are unaffected.

Technical Description

This SQL injection issue resides in the Traffic Ops component. It permits users with certain roles, such as "admin", "federation", "operations", "portal", or "steering", to execute arbitrary SQL commands through a tailor-made PUT request.

Remediation

ASF recommends upgrading to Apache Traffic Control version 8.0.2 to mitigate this security risk. The vulnerability was reported by Yuan Luo of Tencent YunDing Security Lab, highlighting the continuous collaboration between security researchers and open-source communities.

Related Security Advisory

Earlier this month, ASF also addressed a remote code execution vulnerability in Struts 2, related to OGNL technology (CVE-2020-17530), emphasizing the foundation's commitment to securing its projects. Stay informed with the latest updates in cybersecurity on Vault33.

The link has been copied!