Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now

Avatar
The Apache Software Foundation (ASF) has shipped security updates to address a critical security flaw in Traffic Control that, if successfully exploited, could allow an attacker to execute arbitrary Structured Query Language (SQL) commands in the database. The SQL injection vulnerability, tracked as CVE-2024-45387, is rated 9.9 out of 10.0 on the CVSS scoring system. “An SQL injection

The Apache Software Foundation (ASF) has shipped security updates to address a critical security flaw in Traffic Control that, if successfully exploited, could allow an attacker to execute arbitrary Structured Query Language (SQL) commands in the database.

The SQL injection vulnerability, tracked as CVE-2024-45387, is rated 9.9 out of 10.0 on the CVSS scoring system.

“An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role ‘admin,’ ‘federation,’ ‘operations,’ ‘portal,’ or ‘steering’ to execute arbitrary SQL against the database by sending a specially-crafted PUT request,” project maintainers said in an advisory.

Apache Traffic Control is an open-source implementation of a Content Delivery Network (CDN). It was announced as a top-level project (TLP) by the AS in June 2018.

Tencent YunDing Security Lab researcher Yuan Luo has been credited with discovering and reporting the vulnerability. It has been patched in version Apache Traffic Control 8.0.2.

The development comes as the ASF has resolved an authentication bypass flaw in Apache HugeGraph-Server (CVE-2024-43441) from versions 1.0 through 1.3. A fix for the shortcoming has been released in version 1.5.0.

It also follows the release of a patch for an important vulnerability in Apache Tomcat (CVE-2024-56337) that could result in remote code execution (RCE) under certain conditions.

Users are recommended to update their instances to the latest versions of the software to protect against potential threats.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

Iran’s Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

Next Post

Ruijie Networks’ Cloud Platform Flaws Could’ve Exposed 50,000 Devices to Remote Attacks

Related Posts

European Privacy Group Sues TikTok and AliExpress for Illicit Data Transfers to China

Austrian privacy non-profit None of Your Business (noyb) has filed complaints accusing companies like TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi of violating data protection regulations in the European Union by unlawfully transferring users' data to China. The advocacy group is seeking an immediate suspension of such transfers, stating the companies in question cannot shield user data
Avatar
Read More

FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux

Threat hunters have shed light on a new campaign targeting the foreign ministry of an unnamed South American nation with bespoke malware capable of granting remote access to infected hosts. The activity, detected in November 2024, has been attributed by Elastic Security Labs to a threat cluster it tracks as REF7707. Some of the other targets include a telecommunications entity and a university,
Avatar
Read More