oss-sec mailing list archives
CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops
From: Zach Hoffman <zrhoffman () apache org>
Date: Thu, 11 Nov 2021 20:45:08 +0000
Severity: critical Description: An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter. Credit: This issue was discovered by Apache Traffic Control user pupiles. References: https://trafficcontrol.apache.org/security/
Current thread:
- CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops Zach Hoffman (Nov 11)
- <Possible follow-ups>
- Re: CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops Zach Hoffman (Nov 11)
- Re: CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops Zach Hoffman (Nov 17)