Vulnerability Details CVE-2019-12405
Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without that user's correct password.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.012
EPSS Ranking 77.5%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 6.8
References
- https://lists.apache.org/thread.html/e128e9d382f3b0d074e2b597ac58e1d92139394509d81ddbc9e3700e%40%3Cusers.trafficcontrol.apache.org%3E
- https://lists.apache.org/thread.html/r3c675031ac220b5eae64a9c84a03ee60045c6045738607dca4a96cb8%40%3Ccommits.trafficcontrol.apache.org%3E
- https://lists.apache.org/thread.html/rc8bfd7d4f71d61e9193efcd4699eccbab3c202ec1d75ed9d502f08bf%40%3Ccommits.trafficcontrol.apache.org%3E
- https://support.f5.com/csp/article/K84141859
- https://support.f5.com/csp/article/K84141859?utm_source=f5support&%3Butm_medium=RSS
- https://lists.apache.org/thread.html/e128e9d382f3b0d074e2b597ac58e1d92139394509d81ddbc9e3700e%40%3Cusers.trafficcontrol.apache.org%3E
- https://lists.apache.org/thread.html/r3c675031ac220b5eae64a9c84a03ee60045c6045738607dca4a96cb8%40%3Ccommits.trafficcontrol.apache.org%3E
- https://lists.apache.org/thread.html/rc8bfd7d4f71d61e9193efcd4699eccbab3c202ec1d75ed9d502f08bf%40%3Ccommits.trafficcontrol.apache.org%3E
- https://support.f5.com/csp/article/K84141859
- https://support.f5.com/csp/article/K84141859?utm_source=f5support&%3Butm_medium=RSS
Products affected by CVE-2019-12405
-
cpe:2.3:a:apache:traffic_control:3.0.0
-
cpe:2.3:a:apache:traffic_control:3.0.1