Published Date: December 24, 2024
Package | Affected Versions | Patched Versions | Severity |
---|---|---|---|
📦 github.com/apache/trafficcontrol/v8 (Go) | >= 8.0.0, < 8.0.2 | 8.0.2 | Critical |
Description
Vulnerability Details
An SQL injection vulnerability exists in Traffic Ops within Apache Traffic Control versions 8.0.0 to 8.0.1.
A privileged user with one of the following roles can exploit this flaw:
- admin
- federation
- operations
- portal
- steering
By sending a specially crafted PUT request, the attacker can execute arbitrary SQL commands on the database.
Patches & Workarounds
Recommended Action
Upgrade to Apache Traffic Control 8.0.2 immediately if you’re running an affected version.
If upgrading isn’t possible right away:
- Review database logs for unusual queries.
- Restrict privileged user access.
- Monitor PUT requests to Traffic Ops closely.
This vulnerability allows significant control over the database, so addressing it promptly is crucial.