Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNmOHItNHF3bS1yN2pm

Improper Authentication in Apache Traffic Control

Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without that user's correct password.

Permalink: https://github.com/advisories/GHSA-3f8r-4qwm-r7jf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNmOHItNHF3bS1yN2pm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 3 years ago
Updated: 8 months ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-3f8r-4qwm-r7jf, CVE-2019-12405
References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-12405
• https://github.com/apache/trafficcontrol/commit/f780aff77a52d52a37b4d1cc3e8e801c0b557356
• https://lists.apache.org/thread.html/e128e9d382f3b0d074e2b597ac58e1d92139394509d81ddbc9e3700e@%3Cusers.trafficcontrol.apache.org%3E
• https://support.f5.com/csp/article/K84141859
• https://support.f5.com/csp/article/K84141859?utm_source=f5support&utm_medium=RSS
• https://lists.apache.org/thread.html/r3c675031ac220b5eae64a9c84a03ee60045c6045738607dca4a96cb8@%3Ccommits.trafficcontrol.apache.org%3E
• https://lists.apache.org/thread.html/rc8bfd7d4f71d61e9193efcd4699eccbab3c202ec1d75ed9d502f08bf@%3Ccommits.trafficcontrol.apache.org%3E
• https://github.com/advisories/GHSA-3f8r-4qwm-r7jf

Repository: https://github.com/apache/trafficcontrol
Blast Radius: 3.0

Affected Packages