VYPR
← All advisories
Critical severityNVD Advisory· Published Sep 9, 2019· Updated Aug 4, 2024

CVE-2019-12405

CVE-2019-12405

Description

Apache Traffic Control 3.0.0 and 3.0.1 allow LDAP authentication bypass; an attacker can authenticate as any LDAP user without the correct password.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Traffic Control 3.0.0 and 3.0.1 allow LDAP authentication bypass; an attacker can authenticate as any LDAP user without the correct password.

Vulnerability

Overview

CVE-2019-12405 is an improper authentication vulnerability in the Traffic Ops API component of Apache Traffic Control versions 3.0.0 and 3.0.1 when LDAP authentication is enabled. The root cause is insufficient validation of login credentials; specifically, the code did not check for empty username or password fields, allowing an attacker to bypass authentication [1][3].

Exploitation

An attacker with knowledge of a valid LDAP username (which may be enumerable) and network access to the Traffic Ops API can authenticate as that user without providing the correct password. The vulnerability is triggered by sending a login request with an empty password field while specifying a valid username. No prior authentication or special privileges are required [1].

Impact

Successful exploitation grants the attacker the same privileges as the targeted LDAP user within the Traffic Control system. This could include administrative access, enabling full control over CDN configuration, cache servers, and other sensitive operations. The impact is particularly severe in environments where LDAP is used for centralized authentication [1].

Mitigation

The vulnerability was addressed in a subsequent commit (f780aff) that adds validation to reject login requests with empty username or password [3]. Users should upgrade to a patched version of Apache Traffic Control (beyond 3.0.1) or apply the fix manually. No workarounds are documented, and the issue is not currently listed on CISA's Known Exploited Vulnerabilities catalog [1].

References
  1. NVD - CVE-2019-12405
  2. Improve ldap error handling · apache/trafficcontrol@f780aff

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/apache/trafficcontrolGo
>= 3.0.0, < 3.0.2-RC13.0.2-RC1

Affected products

2

Patches

1
f780aff77a52

Improve ldap error handling

https://github.com/apache/trafficcontrolRawlin PetersAug 30, 2019via ghsa
commit
1 file changed · +4 0
  • traffic_ops/traffic_ops_golang/login/login.go+4 0 modified
    @@ -51,6 +51,10 @@ func LoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc {
 			handleErrs(http.StatusBadRequest, err)
 			return
 		}
+		if form.Username == "" || form.Password == "" {
+			api.HandleErr(w, r, nil, http.StatusBadRequest, errors.New("username and password are required"), nil)
+			return
+		}
 		resp := struct {
 			tc.Alerts
 		}{}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

12

News mentions

0

No linked articles in our index yet.