Miggo Logo

CVE-2019-12405: Improper Authentication in Apache Traffic Control

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.7775%
Published
5/18/2021
Updated
9/18/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/apache/trafficcontrolgo>= 3.0.0, <= 3.0.13.0.2-RC1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing empty credential validation in the login handler. The patch adds a check for empty username/password fields (form.Username == "" || form.Password == ""), which was absent in vulnerable versions. Since LoginHandler is the entry point for authentication and the patch directly modifies this function to fix the flaw, it's clear this was the vulnerable function. The LDAP authentication flow would proceed without validating credential presence, enabling the improper authentication described in CVE-2019-12405.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Improp*r *ut**nti**tion is possi*l* in *p**** Tr***i* *ontrol v*rsions *.*.* *n* *.*.* i* L**P is *n**l** *or lo*in in t** Tr***i* Ops *PI *ompon*nt. *iv*n * us*rn*m* *or * us*r t**t **n ** *ut**nti**t** vi* L**P, it is possi*l* to improp*rly *ut**nt

Reasoning

T** vuln*r**ility st*ms *rom missin* *mpty *r***nti*l `v*li**tion` in t** lo*in **n*l*r. T** p*t** ***s * ****k *or *mpty us*rn*m*/p*sswor* *i*l*s (`*orm.Us*rn*m* == "" || *orm.P*sswor* == ""`), w*i** w*s **s*nt in vuln*r**l* v*rsions. Sin** `Lo*in**