Apache Software Foundation (ASF) addressed a critical SQL Injection vulnerability, tracked as CVE-2024-45387, in Apache Traffic Control.—————————————————————————————————————————————-The Apache Software Foundation (ASF) released security updates to address a critical security vulnerability, tracked as [CVE-2024-45387](https://www.cve.org/CVERecord?id=CVE-2024-45387) (CVSS score 9.9), in [Traffic Control](https://trafficcontrol.apache.org/).Traffic Control allows operators to set up a Content Delivery Network to quickly and efficiently deliver content to their users. Traffic Control is a highly distributed, scalable and redundant solution meeting the needs of operators from small to large.The flaw is an SQL injection vulnerability in Traffic Control (-= 8.0.0), it allows privileged users to execute arbitrary SQL commands.*’An SQL injection vulnerability in Traffic Ops in Apache Traffic Control -= 8.0.0 allows a privileged user with role ‘admin’, ‘federation’, ‘operations’, ‘portal’, or ‘steering’ to execute arbitrary SQL against the database by sending a specially-crafted PUT request.’ [reads the advisory](https://lists.apache.org/thread/t38nk5n7t8w3pb66z7z4pqfzt4443trr). ‘Users are recommended to upgrade to version Apache Traffic Control 8.0.2 if you run an affected version of Traffic Ops.’*Traffic Control 7.0.0 before 8.0.0 are not affected by this vulnerability.The researchers Yuan Luo from Tencent YunDing Security Lab reported the vulnerability.Early this month, The Apache Software Foundation [released](https://securityaffairs.com/112089/security/struts-2-flaw.html) a security update to address a ‘possible remote code execution’ flaw in Struts 2 that is related to the OGNL technology.The remote code execution flaw, tracked as CVE-2020-17530, resides in forced OGNL evaluation when evaluated on raw user input in tag attributes.Follow me on Twitter: [**@securityaffairs**](https://twitter.com/securityaffairs) and [**Facebook**](https://www.facebook.com/sec.affairs) and [Mastodon](https://infosec.exchange/@securityaffairs)[**Pierluigi Paganini**](http://www.linkedin.com/pub/pierluigi-paganini/b/742/559)**(** [**SecurityAffairs**](http://securityaffairs.co/wordpress/)**–** **hacking, Traffic Control)**
Related Tags:
CVE-2024-45387
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 541 – Professional
Scientific
Technical Services
Blog: Security Affairs
Exploit Public-Facing Application
Associated Indicators: