Pierluigi Paganini December 26, 2024

Apache Software Foundation (ASF) addressed a critical SQL Injection vulnerability, tracked as CVE-2024-45387, in Apache Traffic Control.

The Apache Software Foundation (ASF) released security updates to address a critical security vulnerability, tracked as CVE-2024-45387 (CVSS score 9.9), in Traffic Control.

Traffic Control allows operators to set up a Content Delivery Network to quickly and efficiently deliver content to their users. Traffic Control is a highly distributed, scalable and redundant solution meeting the needs of operators from small to large.

The flaw is an SQL injection vulnerability in Traffic Control (<= 8.0.1, >= 8.0.0), it allows privileged users to execute arbitrary SQL commands.

“An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role “admin”, “federation”, “operations”, “portal”, or “steering” to execute arbitrary SQL against the database by sending a specially-crafted PUT request.” reads the advisory. “Users are recommended to upgrade to version Apache Traffic Control 8.0.2 if you run an affected version of Traffic Ops.”

Traffic Control 7.0.0 before 8.0.0 are not affected by this vulnerability.

The researchers Yuan Luo from Tencent YunDing Security Lab reported the vulnerability.

Early this month, The Apache Software Foundation released a security update to address a “possible remote code execution” flaw in Struts 2 that is related to the OGNL technology. 

The remote code execution flaw, tracked as CVE-2020-17530, resides in forced OGNL evaluation when evaluated on raw user input in tag attributes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Traffic Control)