CVE-2024-45387
Published: 23 December 2024
Summary
CVE-2024-45387 is a critical-severity SQL Injection (CWE-89) vulnerability in Apache Traffic Control. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-45387 is an SQL injection vulnerability in the Traffic Ops component of Apache Traffic Control versions 8.0.0 through 8.0.1. The flaw stems from insufficient input validation on PUT requests, enabling a user with one of the listed privileged roles to inject and execute arbitrary SQL statements against the backend database. It carries a CVSS 3.1 score of 9.9, reflecting network-accessible exploitation with low attack complexity and high impact on confidentiality, integrity Availability.
An authenticated attacker holding the admin, federation, operations, portal, or steering role can craft a malicious PUT request that bypasses authorization checks and runs arbitrary SQL. Successful exploitation grants the ability to read, modify, or delete database contents, potentially leading to full compromise of the Traffic Control deployment and any dependent traffic-management functions.
Apache Traffic Control project advisories recommend immediate upgrade to version 8.0.2 for all affected installations; the referenced lists.apache.org and openwall.com postings confirm that the fix addresses both the SQL injection (CWE-89) and improper authorization (CWE-285) issues. The associated EPSS score sits at 0.5055 with no material post-disclosure rise indicated.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3616
Vulnerability details
An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request.…
more
Users are recommended to upgrade to version Apache Traffic Control 8.0.2 if you run an affected version of Traffic Ops.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Documented procedures facilitate correct implementation and ongoing management of authorization decisions.
Periodic reviews identify and correct flaws in authorization decisions or enforcement.
The control's documentation requirement reduces improper authorization by ensuring only mission-justified actions bypass authentication.
Establishing permitted attributes and values, plus auditing changes, ensures authorization decisions are based on correctly managed policy data.
Explicitly mandates authorizing remote access types before permitting connections, directly mitigating improper authorization.
The control explicitly requires authorization of each wireless access type prior to permitting connections.
Mandating explicit authorization of mobile device connections reduces the risk of improper authorization decisions for system access.
Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions.