oss-sec mailing list archives
Re: CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops
From: Zach Hoffman <zrhoffman () apache org>
Date: Tue, 16 Nov 2021 13:51:52 -0700
CORRECTION: This issue was discovered by Apache Traffic Control user zhouxufeng () bytedance com. On Thu, 2021-11-11 at 20:45 +0000, Zach Hoffman wrote:
Severity: critical Description: An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter. Credit: This issue was discovered by Apache Traffic Control user pupiles. References: https://trafficcontrol.apache.org/security/
Current thread:
- CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops Zach Hoffman (Nov 11)
- <Possible follow-ups>
- Re: CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops Zach Hoffman (Nov 11)
- Re: CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops Zach Hoffman (Nov 17)