Ce mail provient de l'extérieur, restons vigilants

======================================================================

                                CERT-Renater

                    Note d'Information No. 2024/VULN556
_____________________________________________________________________

DATE                : 24/12/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Traffic Control versions
                                  prior to 8.0.2.

=====================================================================
https://lists.apache.org/thread/t0g20yxq08hyvb83715t27hmbr51kqbk
_____________________________________________________________________

CVE-2024-45387: Apache Traffic Control: SQL Injection in Traffic Ops
endpoint PUT deliveryservice_request_comments

Affected versions:

- Apache Traffic Control 8.0.0 through 8.0.1
- Apache Traffic Control 7.0.0 before 8.0.0 unaffected

Description:

An SQL injection vulnerability in Traffic Ops in Apache Traffic
Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin",
"federation", "operations", "portal", or "steering" to execute
arbitrary SQL against the database by sending a specially-crafted PUT
request.

Users are recommended to upgrade to version Apache Traffic Control
8.0.2 if you run an affected version of Traffic Ops.

Credit:

Yuan Luo from Tencent YunDing Security Lab (reporter)

References:

https://trafficcontrol.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-45387




=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================