Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNmOHItNHF3bS1yN2pm
Improper Authentication in Apache Traffic Control
Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without that user's correct password.
Permalink: https://github.com/advisories/GHSA-3f8r-4qwm-r7jfJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNmOHItNHF3bS1yN2pm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 3 years ago
Updated: 8 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-3f8r-4qwm-r7jf, CVE-2019-12405
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-12405
- https://github.com/apache/trafficcontrol/commit/f780aff77a52d52a37b4d1cc3e8e801c0b557356
- https://lists.apache.org/thread.html/e128e9d382f3b0d074e2b597ac58e1d92139394509d81ddbc9e3700e@%3Cusers.trafficcontrol.apache.org%3E
- https://support.f5.com/csp/article/K84141859
- https://support.f5.com/csp/article/K84141859?utm_source=f5support&utm_medium=RSS
- https://lists.apache.org/thread.html/r3c675031ac220b5eae64a9c84a03ee60045c6045738607dca4a96cb8@%3Ccommits.trafficcontrol.apache.org%3E
- https://lists.apache.org/thread.html/rc8bfd7d4f71d61e9193efcd4699eccbab3c202ec1d75ed9d502f08bf@%3Ccommits.trafficcontrol.apache.org%3E
- https://github.com/advisories/GHSA-3f8r-4qwm-r7jf
Blast Radius: 3.0
Affected Packages
go:github.com/apache/trafficcontrol
Dependent packages: 1Dependent repositories: 2
Downloads:
Affected Version Ranges: >= 3.0.0, <= 3.0.1
Fixed in: 3.0.2-RC1
All affected versions:
All unaffected versions: 1.1.3, 5.0.0, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.6, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 7.0.0, 7.0.1