An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request. Users are recommended to upgrade to version Apache Traffic Control 8.0.2 if you run an affected version of Traffic Ops.
An attacker with an account holding one of the following roles: 'admin', 'federation', 'operations', 'portal' or 'steering' can send a specially crafted HTTP PUT request to Traffic Ops. Improper input validation (CWE-89) and insufficient access control (CWE-285) allow injection of arbitrary SQL code, which is executed directly on the database. The attack does not require interaction from another user and can be conducted remotely over the network.
An attacker can read, modify, or delete any data in the Traffic Ops database, leading to complete breach of confidentiality, integrity, and availability of the CDN management system. The scope of the attack extends beyond the application context itself (Scope: Changed), meaning potential impact on dependent infrastructure.
Apache Traffic Control should be updated to version 8.0.2, which contains a patch eliminating the vulnerability. If immediate update is not possible, it is recommended to restrict network access to the Traffic Ops interface to trusted hosts only and audit accounts holding the following roles: 'admin', 'federation', 'operations', 'portal' and 'steering'.
Apache Traffic Control in versions 8.0.0 and 8.0.1 (Traffic Ops component)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HApache Traffic Control
APPApache8.0.0 – 8.0.2 (bez)
Related vulnerabilities
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted usernam...
Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for ...
** UNSUPPORTED WHEN ASSIGNED ** Inefficient Regular Expression Complexity vulnerability in Apache Traffic Cont...
In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops ...
The Traffic Router component of the incubating Apache Traffic Control project is vulnerable to a Slowloris sty...