CVE-2019-12405

CWE-287 — Improper Authentication4 documents4 sources

Severity

9.8CRITICAL

EPSS

1.2%

top 21.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Apache/trafficcontrol Apache Traffic Control

Timeline

PublishedSep 9

Latest updateMay 18

Description

Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without that user's correct password.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Gogithub.com/apache/trafficcontrol3.0.0 — 3.0.2-RC1

▶CVEListV5apache/traffic_control3.0.0 and 3.0.1

▶NVDapache/traffic_control3.0.0, 3.0.1+1

🔴Vulnerability Details

OSV

Improper Authentication in Apache Traffic Control↗2021-05-18

▶

GHSA

Improper Authentication in Apache Traffic Control↗2021-05-18

▶

CVEList

CVE-2019-12405: Improper authentication is possible in Apache Traffic Control versions 3↗2019-09-09

▶