Traffic Control Security Vulnerabilities and Issues — Traffic Control CVE List

ApacheTraffic Control

8 matches found

CVE•added 2024/12/23 3:30 p.m.•136 views

CVE-2024-45387

Summary: CVE-2024-45387 is an SQL injection in Traffic Ops of Apache Traffic Control, affecting versions = 8.0.0. A privileged user with roles such as admin, federation, operations, portal, or steering can run arbitrary SQL against the database via a specially crafted PUT request. The vulnerabili...

9.9CVSS9.8AI score0.50551EPSS

CVE•added 2022/02/06 3:15 p.m.•103 views

CVE-2022-23206

This CVE concerns Apache Traffic Control Traffic Ops. An unprivileged user reachable over HTTPS could send a crafted POST to /user/login/oauth, enabling SSRF to scan a server port within Traffic Ops reach. Affected are Traffic Ops prior to 6.1.0 or 5.1.6. Impact is described as port-scanning capa...

7.5CVSS7.4AI score0.0084EPSS

CVE•added 2017/07/10 6:0 p.m.•82 views

CVE-2017-7670

CVE-2017-7670 describes a Slowloris-style DoS affecting the Traffic Router component of Apache Traffic Control. The vulnerability occurs because TCP connections on the configured DNS port can stay in the ESTABLISHED state indefinitely. If enough connections remain open, they exhaust the thread po...

7.5CVSS7.4AI score0.01728EPSS

CVE•added 2021/10/12 7:40 a.m.•61 views

CVE-2021-42009

The CVE covers Apache Traffic Control Traffic Ops: an authenticated portal-level user can submit a crafted email subject to the /deliveryservices/request endpoint, causing the Traffic Ops server to send an email with an arbitrary body to any address. This is a server-side email relay/injection ri...

4.3CVSS4.5AI score0.00659EPSS

Web

CVE•added 2019/09/09 4:36 p.m.•57 views

CVE-2019-12405

CVE-2019-12405 affects Apache Traffic Control (Traffic Ops API) when LDAP login is enabled. Versions 3.0.0 and 3.0.1 are exposed to an improper authentication vulnerability that could allow a user authenticated via LDAP to impersonate another user without the target user’s password. This is docum...

9.8CVSS9.3AI score0.01172EPSS

CVE•added 2021/11/11 1:0 p.m.•57 views

CVE-2021-43350

CVE-2021-43350 affects Apache Traffic Control Traffic Ops and describes an LDAP filter injection vulnerability. An unauthenticated user can send a specially crafted username to the POST /login endpoint (any API version) to inject unsanitized content into the LDAP filter, enabling possible LDAP qu...

9.8CVSS9.5AI score0.00935EPSS

CVE•added 2021/01/26 12:42 p.m.•48 views

CVE-2020-17522

The CVE-2020-17522 entry concerns Apache Traffic Control's ORT/atstccfg-generated ip_allow.config files for versions 3.0.0–3.1.0 and 4.0.0–4.1.0. The vulnerability is that these files contain permissions that could allow an attacker to push arbitrary content to CDN cache servers and remove conten...

5.8CVSS5.6AI score0.02162EPSS

CVE•added 2025/10/16 8:40 a.m.•9 views

CVE-2025-61581

CVE-2025-61581 describes an Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control affecting all versions. The description states that users with access to the Traffic Router management interface could supply malicious patterns, potentially causing unavailability. The p...

7.5CVSS6.5AI score0.00339EPSS