461/67 Friday, December 27, 2024
The Apache Software Foundation (ASF) has released a security update to address a critical vulnerability in Apache Traffic Control that could allow malicious actors to execute harmful SQL commands on the database. Identified as CVE-2024-45387, the vulnerability has been assigned a CVSS score of 9.9 out of 10.0. It affects versions of Traffic Ops in Apache Traffic Control <= 8.0.1 and >= 8.0.0. Users with ‘admin,’ ‘federation,’ ‘operations,’ ‘portal,’ or ‘steering’ permissions can exploit this flaw by sending specially crafted PUT requests to attack the database.
Apache Traffic Control is an open-source solution for managing Content Delivery Networks (CDNs) and has been a Top-Level Project since June 2018. The vulnerability was discovered by Yuan Luo, a researcher from Tencent YunDing Security Lab, and has been patched in Apache Traffic Control version 8.0.2.
In addition, ASF has addressed an Authentication Bypass vulnerability in Apache HugeGraph-Server (CVE-2024-43441), which affects versions 1.0 through 1.3. This issue has been fixed in version 1.5.0. ASF has also resolved vulnerabilities in Apache Tomcat that could lead to Remote Code Execution (RCE).
Users are strongly advised to update their software to the latest versions to mitigate potential risks associated with these vulnerabilities.
Source https://thehackernews.com/2024/12/critical-sql-injection-vulnerability-in.html
