=====================================================================

                             CERT-Renater

                   Note d'Information No. 2021/VULN066
_____________________________________________________________________

DATE                : 08/02/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Traffic Control versions
                             prior to 6.0.1, 5.1.4.

=====================================================================
https://lists.apache.org/thread/01o21s5z16791ywrfds91l4x9vdgsn1r
_____________________________________________________________________

CVE-2021-43350: Apache Traffic Control: LDAP filter injection
vulnerability in Traffic Ops


Severity: critical

Description:

An unauthenticated Apache Traffic Control Traffic Ops user can send a
request with a specially-crafted username to the POST /login endpoint
of any API version to inject unsanitized content into the LDAP filter.


Mitigation:

6.0.x users should upgrade to 6.0.1.
5.1.x users should upgrade to 5.1.4.


Credit:

This issue was discovered by Apache Traffic Control user pupiles.

References:

https://trafficcontrol.apache.org/security/


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================