SB2021111211 - LDAP injection in Apache Traffic Control
Published: November 12, 2021
Security Bulletin ID
SB2021111211
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) LDAP injection (CVE-ID: CVE-2021-43350)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to improper input validation when processing usernames in Apache Traffic Control Traffic Ops. A remote non-authenticated attacker can send a specially crafted POST request to the /login endpoint of any API version and inject arbitrary content into LDAP filter.
Successful exploitation of the vulnerability may allow an attacker to bypass authentication process and gain unauthorized access to the application.
Remediation
Install update from vendor's website.