Apache Traffic Control Vulnerability Let Attackers Inject Malicious SQL Commands

A critical SQL injection vulnerability, identified as CVE-2024–45387, has been discovered in Apache Traffic Control, a widely used open-source platform for managing large-scale content delivery networks (CDNs).

This vulnerability affects versions 8.0.0 through 8.0.1 of the software and has been assigned a CVSS score of 9.9, indicating its severe impact on system confidentiality, integrity, and availability.

The flaw resides in the Traffic Ops component of Apache Traffic Control. Specifically, it allows a privileged user with roles such as “admin,” “federation,” “operations,” “portal,” or “steering” to execute arbitrary SQL commands against the underlying database by sending a specially-crafted PUT request to the deliveryservice_request_comments endpoint.

This improper neutralization of special elements in SQL commands is classified under CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’).

Exploitation of this vulnerability could have devastating consequences, including:

• Unauthorized access to sensitive information stored in the database.
• Data manipulation or deletion.
• Escalation of privileges within the system.