Apache Software Foundation Apache Traffic Control vulnerabilities
6 known vulnerabilities affecting apache_software_foundation/apache_traffic_control.
Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH4MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2025-61581HIGHCVSS 7.5fixed in *2025-10-16
CVE-2025-61581 [HIGH] CWE-1333 CVE-2025-61581: ** UNSUPPORTED WHEN ASSIGNED ** Inefficient Regular Expression Complexity vulnerability in Apache Tr
** UNSUPPORTED WHEN ASSIGNED ** Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control.
This issue affects Apache Traffic Control: all versions.
People with access to the management interface of the Traffic Router component could specify malicious patterns and cause unavailability.
As this project is retired, we do not p
cvelistv5nvd
CVE-2024-45387HIGHCVSS 8.8≥ 8.0.0, ≤ 8.0.12024-12-23
CVE-2024-45387 [CRITICAL] CWE-89 CVE-2024-45387: An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a
An SQL injection vulnerability in Traffic Ops in Apache Traffic Control = 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request.
Users are recommended to upgrade to version Apache Traffic Control 8.0.2 if you run
cvelistv5nvd
CVE-2022-23206HIGHCVSS 7.5≥ Traffic Ops, < 6.1.02022-02-06
CVE-2022-23206 [HIGH] CWE-918 CVE-2022-23206: In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Tr
In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.
cvelistv5nvd
CVE-2021-43350CRITICALCVSS 9.8≥ Traffic Ops, < 6.0.12021-11-11
CVE-2021-43350 [CRITICAL] CWE-90 CVE-2021-43350: An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-craft
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.
cvelistv5nvd
CVE-2021-42009MEDIUMCVSS 4.3≥ 4.0.0, < Apache Traffic Control*2021-10-12
CVE-2021-42009 [MEDIUM] CWE-20 CVE-2021-42009: An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a req
An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email subject to the /deliveryservices/request Traffic Ops endpoint to send an email, from the Traffic Ops server, with an arbitrary body to an arbitrary email address. Apache Traffic Control 5.1.x users should upgrade to
cvelistv5nvd
CVE-2017-7670HIGHCVSS 7.5v1.8.0 incubatingv2.0.0 RC0 incubating2017-07-10
CVE-2017-7670 [HIGH] CWE-400 CVE-2017-7670: The Traffic Router component of the incubating Apache Traffic Control project is vulnerable to a Slo
The Traffic Router component of the incubating Apache Traffic Control project is vulnerable to a Slowloris style Denial of Service attack. TCP connections made on the configured DNS port will remain in the ESTABLISHED state until the client explicitly closes the connection or Traffic Router is restarted. If connections remain in the ESTABLISHED state in
cvelistv5nvd