The Apache Software Foundation (ASF) has provided security updates to address a critical security flaw in the Traffic Management System that, if successfully exploited, could allow an attacker to execute arbitrary Structured Query Language (SQL) commands in a database.
SQL injection vulnerability, tracked as CVE-2024-45387rated 9.9 out of 10.0 on the CVSS rating system.
“Traffic Ops SQL Injection Vulnerability in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with the “admin”, “federation”, “operations”, “portal” or “management” roles to execute arbitrary SQL against the database by sending a specially crafted PUT request,” project maintainers said in the advisory.
Apache traffic control is an open source implementation of a Content Delivery Network (CDN). It was announced as a Top Level Project (TLP) AS in June 2018.
Tencent YunDing Security Lab researcher Yuan Luo is credited with discovering and reporting the vulnerability. It was fixed in Apache Traffic Control version 8.0.2.
Development happens like ASF resolved authentication bypass bug in Apache HugeGraph-Server (CVE-2024-43441) from versions 1.0 to 1.3. A fix for the flaw was released in version 1.5.0.
It also follows the release of a patch for an important vulnerability in Apache Tomcat (CVE-2024-56337), which can lead to Remote Code Execution (RCE) under certain conditions.
Users are encouraged to update their instances to the latest software versions to protect against potential threats.
