oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2019-12405: Apache Traffic Control LDAP-based authentication vulnerability

From: Rawlin Peters <rawlin () apache org>
Date: Fri, 6 Sep 2019 13:54:47 -0600
CVE-2019-12405: Apache Traffic Control LDAP-based authentication vulnerability

Severity: Critical

Vendor: The Apache Software Foundation

Versions affected:
Traffic Control 3.0.0
Traffic Control 3.0.1

Description:
The Traffic Ops API component of the Apache Traffic Control project is
vulnerable to improper authentication when LDAP is enabled. Given a username
for a user that can be authenticated via LDAP, it is possible to improperly
authenticate as that user without that user's correct password.

Mitigation:
3.x users should upgrade to 3.0.2.
If the upgrade cannot be done immediately, LDAP authentication can be disabled
by removing the Traffic Ops LDAP configuration file -- ldap.conf -- in order to
mitigate the vulnerability until an upgrade to 3.0.2 can be performed.

References:
    Downloads:
        http://trafficcontrol.apache.org/releases/
    CVE:
        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12405
    Project security:
        http://trafficcontrol.apache.org/security/
--
Thanks,
Rawlin
Previous By Date Next
Previous By Thread Next

Current thread: