A high-severity SQL injection vulnerability, identified as CVE-2024-45387, has been disclosed in Apache Traffic Control, affecting versions 8.0.0 through 8.0.1. This flaw, with a CVSS score of 8.8, allows privileged users with roles such as "admin," "federation," "operations," "portal," or "steering" to execute arbitrary SQL commands against the database. The vulnerability is triggered by sending a specially-crafted PUT request to the Traffic Ops component of the software.
The SQL injection vulnerability, categorized under CWE-89 and CWE-285, poses a significant risk as it can be exploited to manipulate database queries, potentially leading to unauthorized data access or modification. The exploitability of this flaw is underscored by its EPSS score of 0.506, indicating a moderate likelihood of exploitation in the wild.
Apache Traffic Control is a widely used open-source content delivery network (CDN) control plane, and this vulnerability could have serious implications for organizations relying on it for managing their CDN operations. The flaw's presence in the Traffic Ops component means that attackers with the necessary privileges could compromise the integrity and confidentiality of the data managed by the platform.
Users of Apache Traffic Control are strongly advised to review their access controls and apply any available patches or mitigations to protect against potential exploitation. Given the severity of the vulnerability, organizations should prioritize tracking and addressing this issue to safeguard their systems.
CSURFACE