#VU58115 LDAP injection in Apache Traffic Control - CVE-2021-43350
Published: November 12, 2021
Vulnerability identifier: #VU58115
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2021-43350
CWE-ID: CWE-90
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Apache Traffic Control
Apache Traffic Control
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to improper input validation when processing usernames in Apache Traffic Control Traffic Ops. A remote non-authenticated attacker can send a specially crafted POST request to the /login endpoint of any API version and inject arbitrary content into LDAP filter.
Successful exploitation of the vulnerability may allow an attacker to bypass authentication process and gain unauthorized access to the application.
Remediation
Install updates from vendor's website.