LDAP injection in Apache Traffic Control - CVE-2021-43350

 

LDAP injection in Apache Traffic Control - CVE-2021-43350

Published: November 12, 2021


Vulnerability identifier: #VU58115
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2021-43350
CWE-ID: CWE-90
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Traffic Control

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to improper input validation when processing usernames in Apache Traffic Control Traffic Ops. A remote non-authenticated attacker can send a specially crafted POST request to the /login endpoint of any API version and inject arbitrary content into LDAP filter. 

Successful exploitation of the vulnerability may allow an attacker to bypass authentication process and gain unauthorized access to the application.


How to mitigate CVE-2021-43350

Install updates from vendor's website.

Sources