The Apache Software Foundation has released crucial security updates addressing a critical vulnerability in Traffic Control, identified as CVE-2024-45387. This severe flaw, scoring 9.9 out of 10.0 on the CVSS scale, could enable SQL injection attacks against the database.
The vulnerability affects Traffic Control versions 8.0.1 and earlier, potentially allowing privileged users with specific roles (admin, federation, operations, portal, or steering) to execute arbitrary SQL commands through specially-crafted PUT requests.
Key Points:
– Vulnerability discovered by Yuan Luo from Tencent YunDing Security Lab
– Patched in Apache Traffic Control version 8.0.2
– Affects Apache Traffic Control, an open-source CDN implementation
– Became Apache top-level project in June 2018
Additional Security Updates:
– Apache HugeGraph-Server: Authentication bypass flaw (CVE-2024-43441) fixed in version 1.5.0
– Apache Tomcat: Remote code execution vulnerability (CVE-2024-56337) patched
Users are strongly advised to upgrade to the latest versions to mitigate these security risks.