CVE-2019-12405

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-12405

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-12405.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2019-12405

Aliases

GHSA-3f8r-4qwm-r7jf

Published

2019-09-09T17:15:13Z

Modified

2025-01-08T05:39:00.239282Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without that user's correct password.

References

Affected packages

Git / github.com/apache/trafficcontrol

Affected ranges

Type: GIT
Repo: https://github.com/apache/trafficcontrol
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

dea1c0310cc170d663c92775753e032c24676212

Last affected

eca5d609dc5877e9abc075c0228e6e400473f564

Affected versions

1.*

1.1.0-release

1.1.1-hotfix

1.1.1-release

1.1.2-release

RELEASE-1.*

RELEASE-1.4.0-RC0

RELEASE-1.5.0-RC0

RELEASE-1.6.0-RC0

RELEASE-1.7.0-RC0

RELEASE-2.*

RELEASE-2.2.0-RC0

RELEASE-3.*

RELEASE-3.0.0

RELEASE-3.0.0-RC0

RELEASE-3.0.0-RC1

RELEASE-3.0.0-RC2

RELEASE-3.0.0-RC3

RELEASE-3.0.0-RC4

RELEASE-3.0.0-RC5

RELEASE-3.0.0-RC6

RELEASE-3.0.1

RELEASE-3.0.1-RC1

RELEASE-3.0.1-RC2

traffic_monitor-1.*

traffic_monitor-1.1.1

traffic_ops-release-1.*

traffic_ops-release-1.1.2

traffic_ops-release-1.1.3

traffic_ops-release-1.1.5

traffic_ops-release-1.1.6

traffic_router-1.*

traffic_router-1.1.1

traffic_router-1.1.2

v1.*

v1.1.3