An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.
The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
| Link | Tags |
|---|---|
| https://trafficcontrol.apache.org/security/ | vendor advisory |
| http://www.openwall.com/lists/oss-security/2021/11/11/3 | third party advisory mailing list |
| http://www.openwall.com/lists/oss-security/2021/11/11/4 | third party advisory mailing list |
| http://www.openwall.com/lists/oss-security/2021/11/17/1 | third party advisory mailing list |