CVE-2019-12405

Name of the Vulnerable Software and Affected Versions Apache Traffic Control versions 3.0.0 through 3.0.1

Description The issue is related to improper authentication in the Traffic Ops API component when LDAP is enabled for login. This allows an attacker to authenticate as a user without knowing the correct password, given that they have a username that can be authenticated via LDAP.

Recommendations For Apache Traffic Control versions 3.0.0 and 3.0.1, consider disabling LDAP authentication in the Traffic Ops API component until a patch is available. Restrict access to the Traffic Ops API to minimize the risk of exploitation. Avoid using the Traffic Ops API for critical operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.