Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without that user's correct password.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/apache/trafficcontrol(Go) | 3.0.0 | 3.0.2-RC1 | N/A |
CVSS Metrics
