=====================================================================

                              CERT-Renater

                  Note d'Information No. 2021/VULN603
_____________________________________________________________________

DATE                : 12/11/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Traffic Control versions
                                prior to 6.0.1, 5.1.4.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202111.mbox/%3ceca64e9e-5f1f-ef56-b5f3-0b8f3a83be4a@apache.org%3e
_____________________________________________________________________

CVE-2021-43350: Apache Traffic Control: LDAP filter injection
vulnerability in Traffic Ops


Severity: critical

Description:

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted
username to the POST /login endpoint of any API version to inject unsanitized content into
the LDAP filter.

Mitigation:

6.0.x users should upgrade to 6.0.1.
5.1.x users should upgrade to 5.1.4.

Credit:

This issue was discovered by Apache Traffic Control user pupiles.

References:

https://trafficcontrol.apache.org/security/


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================