Severity: critical Description:
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter. Mitigation: 6.0.x users should upgrade to 6.0.1. 5.1.x users should upgrade to 5.1.4. Credit: This issue was discovered by Apache Traffic Control user pupiles. References: https://trafficcontrol.apache.org/security/
