oss-sec mailing list archives
CVE-2019-12405: Apache Traffic Control LDAP-based authentication vulnerability
From: Rawlin Peters <rawlin () apache org>
Date: Fri, 6 Sep 2019 13:54:47 -0600
CVE-2019-12405: Apache Traffic Control LDAP-based authentication vulnerability Severity: Critical Vendor: The Apache Software Foundation Versions affected: Traffic Control 3.0.0 Traffic Control 3.0.1 Description: The Traffic Ops API component of the Apache Traffic Control project is vulnerable to improper authentication when LDAP is enabled. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without that user's correct password. Mitigation: 3.x users should upgrade to 3.0.2. If the upgrade cannot be done immediately, LDAP authentication can be disabled by removing the Traffic Ops LDAP configuration file -- ldap.conf -- in order to mitigate the vulnerability until an upgrade to 3.0.2 can be performed. References: Downloads: http://trafficcontrol.apache.org/releases/ CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12405 Project security: http://trafficcontrol.apache.org/security/ -- Thanks, Rawlin
Current thread:
- CVE-2019-12405: Apache Traffic Control LDAP-based authentication vulnerability Rawlin Peters (Sep 06)