CVE-2021-43350LDAP Injection in Software Foundation Apache Traffic Control

CWE-90LDAP InjectionCWE-74Injection5 documents4 sources
Severity
9.8CRITICALNVD
EPSS
1.7%
top 17.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Apache Software Foundation Apache Traffic ControlGithub.com Apache TrafficcontrolApache Traffic Control
Timeline
PublishedNov 11
Latest updateJun 10

Description

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDapache/traffic_control5.1.05.1.4+3
Gogithub.com/apache_trafficcontrol6.0.06.0.1+3
CVEListV5apache_software_foundation/apache_traffic_controlTraffic Ops6.0.1

🔴Vulnerability Details

4
OSV
Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection in github.com/apache/trafficcontrol2024-06-10
OSV
Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection2022-05-24
GHSA
Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection2022-05-24
CVEList
LDAP filter injection vulnerability in Traffic Ops2021-11-11
CVE-2021-43350 — LDAP Injection | cvebase