Headline
CVE-2021-43350: Apache Traffic Control Releases
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.
Apache Traffic Control - Security Updates
Past Vulnerabilities
- Apache Traffic Control: Server-Side Request Forgery in Traffic Ops endpoint POST /user/login/oauth
- CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops
- CVE-2021-42009: Apache Traffic Control Email Injection Vulnerability
- CVE-2020-17522: Apache Traffic Control Mid Tier Cache Manipulation Attack
- CVE-2019-12405: Apache Traffic Control LDAP-based authentication vulnerability
- CVE-2017-7670: Apache Traffic Control Traffic Router Slowloris Denial of Service Vulnerability
Reporting Vulnerabilities
Please use our private security mailing list, [email protected], to disclose any new vulnerability. Disclosing vulnerabilities privately will allow our project team to analyze the report, identify a fix, and begin the full disclosure process. Please include all relevant information to reproduce the issue, and any known workaround or fix.