LDAP Authentication Bypass in Apache Traffic Control 3.0.0 and 3.0.1

LDAP Authentication Bypass in Apache Traffic Control 3.0.0 and 3.0.1

CVE-2019-12405 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without that user's correct password.

Learn more about our Cis Benchmark Audit For Apache Http Server.