github.com/apache/trafficcontrol (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/apache/trafficcontrol, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (8)
CVE-2024-45387 — CVSS 9.9 (critical): An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin"…
CVE-2021-43350 — CVSS 9.8 (critical): An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint…
CVE-2019-12405 — CVSS 9.8 (critical): Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API…
CVE-2025-61581 — CVSS 7.5 (high): ** UNSUPPORTED WHEN ASSIGNED ** Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control. This issue affects…
CVE-2022-23206 — CVSS 7.5 (high): In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a…
CVE-2017-7670 — CVSS 7.5 (high): The Traffic Router component of the incubating Apache Traffic Control project is vulnerable to a Slowloris style Denial of Service attack…
CVE-2020-17522 — CVSS 5.8 (medium): When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files…
CVE-2021-42009 — CVSS 4.3 (medium): An authenticated Apache Traffic Control Traffic Ops user with Portal-level privileges can send a request with a specially-crafted email…