CVE-2024-45387 CRITICAL

CVE-2024-45387: Apache Traffic Control: SQL Injection in Traffic Ops endpoint PUT deliveryservice_request_comments

Vendor Apache Software Foundation

Product Apache Traffic Control

Weakness CWE-89 · SQLi

Published December 23, 2024

Last update December 24, 2024

View on NVD All CVEs

CVSS base score

9.9/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

Description

An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request. Users are recommended to upgrade to version Apache Traffic Control 8.0.2 if you run an affected version of Traffic Ops.

Key dates

Disclosure timeline

December 23, 2024 CVE published

December 24, 2024 Record updated

Identifiers

CVE CVE-2024-45387

CWE CWE-89

CVSS 9.9 / CRITICAL

Affected versions

Vendor Apache Software Foundation

Product Apache Traffic Control

Affected ≥ 8.0.0 and ≤ 8.0.1