CORRECTION: This issue was discovered by Apache Traffic Control userĀ [email protected].
On Thu, 2021-11-11 at 20:53 +0000, Zach Hoffman wrote: > Severity: critical > > Description: > > An unauthenticated Apache Traffic Control Traffic Ops user can send a request > with a specially-crafted username to the POST /login endpoint of any API > version to inject unsanitized content into the LDAP filter. > > Mitigation: > > 6.0.x users should upgrade to 6.0.1. > 5.1.x users should upgrade to 5.1.4. > > Credit: > > This issue was discovered by Apache Traffic Control user pupiles. > > References: > > https://trafficcontrol.apache.org/security/ >
