'[oss-security] Re: CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Tr'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Tr
From:       Zach Hoffman <zrhoffman () apache ! org>
Date:       2021-11-16 20:51:52
Message-ID: 3ba4a13789030965b7bf6aa7258cfd830db1d63c.camel () apache ! org
[Download RAW message or body]

CORRECTION:
This issue was discovered by Apache Traffic Control user zhouxufeng@bytedance.com.

On Thu, 2021-11-11 at 20:45 +0000, Zach Hoffman wrote:
> Severity: critical
> 
> Description:
> 
> An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a \
> specially-crafted username to the POST /login endpoint of any API version to inject \
> unsanitized content into the LDAP filter. 
> 
> Credit:
> 
> This issue was discovered by Apache Traffic Control user pupiles.
> 
> References:
> 
> https://trafficcontrol.apache.org/security/
> 

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic