Cyber Resilience

CVE-2024-45387

Critical

Published: 23 December 2024

Published
23 December 2024
Modified
11 February 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.5055 97.9th percentile
Risk Priority 50 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45387 is a critical-severity SQL Injection (CWE-89) vulnerability in Apache Traffic Control. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-45387 is an SQL injection vulnerability in the Traffic Ops component of Apache Traffic Control versions 8.0.0 through 8.0.1. The flaw stems from insufficient input validation on PUT requests, enabling a user with one of the listed privileged roles to inject and execute arbitrary SQL statements against the backend database. It carries a CVSS 3.1 score of 9.9, reflecting network-accessible exploitation with low attack complexity and high impact on confidentiality, integrity Availability.

An authenticated attacker holding the admin, federation, operations, portal, or steering role can craft a malicious PUT request that bypasses authorization checks and runs arbitrary SQL. Successful exploitation grants the ability to read, modify, or delete database contents, potentially leading to full compromise of the Traffic Control deployment and any dependent traffic-management functions.

Apache Traffic Control project advisories recommend immediate upgrade to version 8.0.2 for all affected installations; the referenced lists.apache.org and openwall.com postings confirm that the fix addresses both the SQL injection (CWE-89) and improper authorization (CWE-285) issues. The associated EPSS score sits at 0.5055 with no material post-disclosure rise indicated.

EU & UK References

Vulnerability details

An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request.…

more

Users are recommended to upgrade to version Apache Traffic Control 8.0.2 if you run an affected version of Traffic Ops.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
traffic control
8.0.0 — 8.0.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-285

Documented procedures facilitate correct implementation and ongoing management of authorization decisions.

addresses: CWE-285

Periodic reviews identify and correct flaws in authorization decisions or enforcement.

addresses: CWE-285

The control's documentation requirement reduces improper authorization by ensuring only mission-justified actions bypass authentication.

addresses: CWE-285

Establishing permitted attributes and values, plus auditing changes, ensures authorization decisions are based on correctly managed policy data.

addresses: CWE-285

Explicitly mandates authorizing remote access types before permitting connections, directly mitigating improper authorization.

addresses: CWE-285

The control explicitly requires authorization of each wireless access type prior to permitting connections.

addresses: CWE-285

Mandating explicit authorization of mobile device connections reduces the risk of improper authorization decisions for system access.

addresses: CWE-285

Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions.

References