x/vulndb: potential Go vuln in github.com/apache/trafficcontrol/v8: GHSA-vq94-9pfv-ccqr

[GoVulnBot]

Advisory GHSA-vq94-9pfv-ccqr references a vulnerability in the following Go modules:

Module
github.com/apache/trafficcontrol
github.com/apache/trafficcontrol/v8

Description:
An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request.

Users are recommended to upgrade to version Apache Traffic Control 8.0.2 if you run an affected version of Traffic Ops.

References:

• ADVISORY: GHSA-vq94-9pfv-ccqr
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-45387
• WEB: http://www.openwall.com/lists/oss-security/2024/12/23/3
• WEB: https://github.com/apache/trafficcontrol/releases/tag/v8.0.2
• WEB: https://lists.apache.org/thread/t38nk5n7t8w3pb66z7z4pqfzt4443trr

Cross references:

• github.com/apache/trafficcontrol appears in 6 other report(s):
  • data/excluded/GO-2022-0624.yaml (x/vulndb: potential Go vuln in github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/login: GHSA-3f8r-4qwm-r7jf #624) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0702.yaml (x/vulndb: potential Go vuln in github.com/apache/trafficcontrol: GHSA-pw59-4qgf-jxr8 #702) NOT_GO_CODE
  • data/excluded/GO-2024-2767.yaml (x/vulndb: potential Go vuln in github.com/apache/trafficcontrol: GHSA-f2wr-c4c4-xjg7 #2767) NOT_GO_CODE
  • data/reports/GO-2022-0585.yaml (x/vulndb: potential Go vuln in github.com/apache/trafficcontrol: GHSA-wp47-9r3h-xfgq #585)
  • data/reports/GO-2022-0602.yaml (x/vulndb: potential Go vuln in github.com/apache/trafficcontrol: GHSA-gw97-f6h8-gm94 #602)
  • data/reports/GO-2024-2776.yaml (x/vulndb: potential Go vuln in github.com/apache/trafficcontrol: GHSA-mg2c-rc36-p594 #2776)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/apache/trafficcontrol
      vulnerable_at: 7.0.1+incompatible
    - module: github.com/apache/trafficcontrol/v8
      versions:
        - introduced: 8.0.0
        - fixed: 8.0.2
      vulnerable_at: 8.0.2-rc0
summary: SQL injection in Apache Traffic Control in github.com/apache/trafficcontrol
cves:
    - CVE-2024-45387
ghsas:
    - GHSA-vq94-9pfv-ccqr
references:
    - advisory: https://github.com/advisories/GHSA-vq94-9pfv-ccqr
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45387
    - web: http://www.openwall.com/lists/oss-security/2024/12/23/3
    - web: https://github.com/apache/trafficcontrol/releases/tag/v8.0.2
    - web: https://lists.apache.org/thread/t38nk5n7t8w3pb66z7z4pqfzt4443trr
source:
    id: GHSA-vq94-9pfv-ccqr
    created: 2024-12-23T21:03:28.379904215Z
review_status: UNREVIEWED