CVE-2021-43350

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in go/github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/login

Identifiers

CVE-2021-43350

Package Slug

go/github.com/apache/trafficcontrol/trafficops/trafficops_golang/login

Vulnerability

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Description

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.

Affected Versions

All versions starting from 5.1.0 before 5.1.4, all versions starting from 6.0.0 before 6.0.1

Solution

Upgrade to versions 5.1.4, 6.0.1 or above.

Last Modified

2021-11-18

source