CVE-2019-12405 – github.com/apache/trafficcontrol

Package

Manager: go
Name: github.com/apache/trafficcontrol
Vulnerable Version: >=3.0.0 <3.0.2-rc1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01172 pctl0.77892

Details

Improper Authentication in Apache Traffic Control Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without that user's correct password.

Metadata

Created: 2021-05-18T15:39:16Z
Modified: 2021-10-13T17:25:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-3f8r-4qwm-r7jf/GHSA-3f8r-4qwm-r7jf.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-3f8r-4qwm-r7jf
Finding: F039
Auto approve: 1