CVE-2024-45387 (CVSS 9.9): Critical SQL Injection Vulnerability Found in Apache Traffic Control
A critical-severity security flaw has been uncovered in Apache Traffic Control, a popular open-source platform used to build large-scale content delivery networks (CDNs). This vulnerability, identified as CVE-2024-45387 and assigned a CVSS score of 9.9, could allow attackers to execute malicious SQL code, potentially compromising sensitive data and disrupting critical services.
Apache Traffic Control is a highly distributed and scalable platform that helps operators establish robust CDNs. Built around Apache Traffic Server, it ensures the efficient delivery of content at scale, catering to the needs of both small and large operators. Traffic Control’s key components include Traffic Ops, which manages CDN configuration and interactions.
The vulnerability stems from an SQL injection weakness in the Traffic Ops component of Apache Traffic Control versions 8.0.0 and 8.0.1. “An SQL injection vulnerability in Traffic Ops… allows a privileged user with role ‘admin’, ‘federation’, ‘operations’, ‘portal’, or ‘steering’ to execute arbitrary SQL against the database by sending a specially-crafted PUT request,” the official vulnerability report explains.
This means that malicious actors with certain privileged access to Traffic Ops could exploit this flaw to manipulate the underlying database. The consequences could range from data breaches and unauthorized access to complete system takeover.
The CVE-2024-45387 vulnerability was discovered by Yuan Luo from Tencent YunDing Security Lab and has been addressed in Apache Traffic Control version 8.0.2.
Organizations using Apache Traffic Control are strongly urged to upgrade to the latest version immediately. Users are recommended to upgrade to version Apache Traffic Control 8.0.2 if you run an affected version of Traffic Ops.
