CVE-2024-45387 represents a significant security concern within the Traffic Ops component of Apache Traffic Control, specifically impacting versions
The heart of this vulnerability is an SQL injection flaw. Essentially, it allows a privileged user—such as those with roles like admin, federation, operations, portal, or steering—to execute arbitrary SQL commands. This is achieved by sending a maliciously crafted PUT request.
Potential Consequences
The implications of this vulnerability are severe, earning it a CVSS score of 9.9. Here are the potential impacts:
- Data Breaches: Unauthorized parties could access and extract sensitive information stored in the database.
- Unauthorized Access: Attackers might gain entry to restricted areas, leading to further exploitation.
- System Takeover: In extreme scenarios, attackers could gain full control, potentially disrupting critical operations and services.
Mitigation Strategies
To address this critical issue, it’s imperative to upgrade to Apache Traffic Control version 8.0.2. This version includes a fix that mitigates the SQL injection flaw, ensuring your system is protected.
Discovery and Response
This vulnerability was discovered by Yuan Luo from Tencent YunDing Security Lab and reported to the Apache Software Foundation. The quick response from the foundation ensured that the issue was resolved promptly in the latest release.
