Security researcher Abdelrhman Zayed, in collaboration with Mohamed Abdelhady, has published proof-of-concept (PoC) exploit code for CVE-2024-45387, a critical SQL injection vulnerability in Apache Traffic Control. The flaw carries a near-maximum CVSS score of 9.9 out of 10, signaling its potential to cause significant damage if exploited.
According to the ASF advisory, CVE-2024-45387 resides in the Traffic Ops module of Apache Traffic Control versions 8.0.0 to 8.0.1. It allows privileged users with roles such as ‘admin,’ ‘federation,’ ‘operations,’ ‘portal,’ or ‘steering’ to execute arbitrary SQL commands against the database by sending a specially crafted PUT request.
The project maintainers emphasized the seriousness of the issue: “An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user to execute arbitrary SQL against the database by sending a specially-crafted PUT request.”
This vulnerability could enable attackers to manipulate sensitive database contents, compromise system integrity, or exfiltrate critical data.
The vulnerability was discovered and reported by Yuan Luo from Tencent YunDing Security Lab. The ASF team has promptly addressed the flaw by releasing a patched version, Apache Traffic Control 8.0.2.
Further increasing its urgency, researchers Abdelrhman Zayed and Mohamed Abdelhady published a proof-of-concept (PoC) exploit for CVE-2024-45387 on GitHub. The availability of the PoC could accelerate attempts by malicious actors to exploit unpatched systems.
Apache Traffic Control is a robust, open-source implementation of a CDN that enables efficient and scalable content delivery. Recognized as a top-level project by the ASF in June 2018, it is widely used to manage and optimize web traffic.
With a PoC exploit already circulating and a near-perfect CVSS score, CVE-2024-45387 is a significant threat to organizations using Apache Traffic Control. Prompt patching and robust access controls are crucial to minimizing the risk of exploitation.
Related Posts:
- PoC Published for Critical Mastodon Vulnerability – CVE-2024-23832 (CVSS 9.8)
- CVE-2024-45387 (CVSS 9.9): Critical SQL Injection Vulnerability Found in Apache Traffic Control
- CVE-2024-3584: Critical Path Traversal Flaw Exposes Qdrant Vector Database to Remote Takeover
