Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12cTk0LTlwZnYtY2Nxcs4ABCrR
SQL injection in Apache Traffic Control
An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request.
Users are recommended to upgrade to version Apache Traffic Control 8.0.2 if you run an affected version of Traffic Ops.
Permalink: https://github.com/advisories/GHSA-vq94-9pfv-ccqrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12cTk0LTlwZnYtY2Nxcs4ABCrR
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 16 days ago
Updated: 16 days ago
CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Percentage: 0.00043
EPSS Percentile: 0.10912
Identifiers: GHSA-vq94-9pfv-ccqr, CVE-2024-45387
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-45387
- https://lists.apache.org/thread/t38nk5n7t8w3pb66z7z4pqfzt4443trr
- http://www.openwall.com/lists/oss-security/2024/12/23/3
- https://github.com/apache/trafficcontrol/releases/tag/v8.0.2
- https://github.com/advisories/GHSA-vq94-9pfv-ccqr
Blast Radius: 1.0
Affected Packages
go:github.com/apache/trafficcontrol/v8
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 8.0.0, < 8.0.2
Fixed in: 8.0.2
All affected versions: 8.0.0, 8.0.1
All unaffected versions: 8.0.2