Urgent: Severe SQL Injection Flaw in Apache Traffic Control Scores Near-Perfect 9.9 – Update Now

Urgent: Severe SQL Injection Flaw in Apache Traffic Control Scores Near-Perfect 9.9 - Update Now

Critical Security Update: Apache Traffic Control Patches Severe SQL Injection Vulnerability

The Apache Software Foundation has released crucial security updates addressing a critical vulnerability in Traffic Control, identified as CVE-2024-45387. This severe flaw, scoring 9.9 out of 10.0 on the CVSS scale, could enable SQL injection attacks against the database.

The vulnerability affects Traffic Control versions 8.0.1 and earlier, potentially allowing privileged users with specific roles (admin, federation, operations, portal, or steering) to execute arbitrary SQL commands through specially-crafted PUT requests.

Key Points:
– Vulnerability discovered by Yuan Luo from Tencent YunDing Security Lab
– Patched in Apache Traffic Control version 8.0.2
– Affects Apache Traffic Control, an open-source CDN implementation
– Became Apache top-level project in June 2018

Additional Security Updates:
– Apache HugeGraph-Server: Authentication bypass flaw (CVE-2024-43441) fixed in version 1.5.0
– Apache Tomcat: Remote code execution vulnerability (CVE-2024-56337) patched

Users are strongly advised to upgrade to the latest versions to mitigate these security risks.

Share This Article