CVE-2019-12405: Improper Authentication in Apache Traffic Control
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.7775%
CWE
Published
5/18/2021
Updated
9/18/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/apache/trafficcontrol | go | >= 3.0.0, <= 3.0.1 | 3.0.2-RC1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing empty credential validation
in the login handler. The patch adds a check for empty username/password fields (form.Username == "" || form.Password == ""
), which was absent in vulnerable versions. Since LoginHandler
is the entry point for authentication and the patch directly modifies this function
to fix the flaw, it's clear this was the vulnerable function
. The LDAP
authentication flow would proceed without validating credential presence, enabling the improper authentication described in CVE-2019-12405
.