CVE-2024-45387

CWE-89 — SQL Injection CWE-2855 documents4 sources

Severity

8.8HIGH

EPSS

44.0%

top 2.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Apache/trafficcontrol/v8 Apache Traffic Control Apache Software Foundation Apache Traffic Control

Timeline

PublishedDec 23

Latest updateJan 7

Description

An SQL injection vulnerability in Traffic Ops in Apache Traffic Control = 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request. Users are recommended to upgrade to version Apache Traffic Control 8.0.2 if you run an affected version of Traffic Ops.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages3 packages

▶NVDapache/traffic_control8.0.0 — 8.0.2

▶Gogithub.com/apache/trafficcontrol/v88.0.0 — 8.0.2

▶CVEListV5apache_software_foundation/apache_traffic_control8.0.0 — 8.0.1

🔴Vulnerability Details

OSV

SQL injection in Apache Traffic Control in github.com/apache/trafficcontrol↗2025-01-07

▶

CVEList

Apache Traffic Control: SQL Injection in Traffic Ops endpoint PUT deliveryservice_request_comments↗2024-12-23

▶

GHSA

SQL injection in Apache Traffic Control↗2024-12-23

▶

OSV

SQL injection in Apache Traffic Control↗2024-12-23

▶