Lucene search

[email protected]CVE-2019-12405

HistorySep 09, 2019 - 5:15 p.m.

CVE-2019-12405

2019-09-0917:15:13

CWE-287

[email protected]

web.nvd.nist.gov

cve

2019

12405

apache traffic control

ldap

authentication

security vulnerability

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

74.9%

JSON

Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without that user’s correct password.

Affected configurations

Vulners

NVD

Node

apachetraffic_controlRange≤3.0.0

apachetraffic_controlRange≤3.0.1

CPENameOperatorVersion
apache:traffic_controlapache traffic controleq3.0.0
apache:traffic_controlapache traffic controleq3.0.1

CPE	Name	Operator	Version
apache:traffic_control	apache traffic control	eq	3.0.0
apache:traffic_control	apache traffic control	eq	3.0.1

CNA Affected

[
  {
    "product": "Traffic Control",
    "vendor": "Apache",
    "versions": [
      {
        "status": "affected",
        "version": "3.0.0 and 3.0.1"
      }
    ]
  }
]