VYPR
← All advisories
Critical severityNVD Advisory· Published Nov 11, 2021· Updated Aug 4, 2024

LDAP filter injection vulnerability in Traffic Ops

CVE-2021-43350

Description

An unauthenticated attacker can inject unsanitized content into the LDAP filter via a crafted username on the POST /login endpoint of Apache Traffic Control Traffic Ops.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unauthenticated attacker can inject unsanitized content into the LDAP filter via a crafted username on the POST /login endpoint of Apache Traffic Control Traffic Ops.

Vulnerability

CVE-2021-43350 is an LDAP filter injection vulnerability in Apache Traffic Control's Traffic Ops component. An unauthenticated user can send a request with a specially-crafted username to the POST /login endpoint of any API version, causing unsanitized content to be injected into the LDAP filter [2][3]. The exact affected versions are not specified in the available references, but the issue exists in all versions prior to a fix.

Exploitation

An attacker needs no authentication and only network access to the Traffic Ops API. By sending a POST /login request with a malicious username containing LDAP filter syntax, the attacker can inject arbitrary LDAP filter logic. The injection occurs because the username is not sanitized before being used in the LDAP search filter [2][3].

Impact

Successful exploitation allows an attacker to manipulate the LDAP query, potentially leading to authentication bypass or unauthorized access to LDAP directory information. The exact impact depends on the LDAP directory configuration, but it could enable an attacker to log in as any user or enumerate valid usernames [2][3].

Mitigation

As of the publication date (2021-11-11), no official fix or patched version has been disclosed in the available references [2][3]. Users should monitor the Apache Traffic Control security page (https://trafficcontrol.apache.org/security/) for updates and apply any released patches promptly. No workaround is provided.

References
  1. security - Re: CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops
  2. security - CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/apache/trafficcontrolGo
>= 6.0.0, < 6.0.16.0.1
github.com/apache/trafficcontrolGo
>= 5.1.0, < 5.1.45.1.4

Affected products

2

Patches

2
73dfaecce42d

Remove go.mod to make v6.0.1 importable

https://github.com/apache/incubator-trafficcontrolZach HoffmanNov 9, 2021via osv
commit
1 file changed · +0 82
  • go.mod+0 82 removed
    @@ -1,82 +0,0 @@
-module github.com/apache/trafficcontrol
-
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-
-go 1.17
-
-replace (
-	github.com/fsnotify/fsnotify v1.4.9 => github.com/fsnotify/fsnotify v1.3.0
-	github.com/golang/protobuf v1.4.2 => github.com/golang/protobuf v0.0.0-20171021043952-1643683e1b54
-	gopkg.in/yaml.v2 v2.3.0 => gopkg.in/yaml.v2 v2.2.8
-)
-
-require (
-	code.cloudfoundry.org/bytefmt v0.0.0-20180108190415-b31f603f5e1e
-	github.com/GehirnInc/crypt v0.0.0-20190301055215-6c0105aabd46
-	github.com/asaskevich/govalidator v0.0.0-20180319081651-7d2e70ef918f
-	github.com/basho/backoff v0.0.0-20150307023525-2ff7c4694083 // indirect
-	github.com/basho/riak-go-client v1.7.1-0.20170327205844-5587c16e0b8b
-	github.com/cenkalti/backoff v2.2.1+incompatible // indirect
-	github.com/cihub/seelog v0.0.0-20170110094445-7bfb7937d106
-	github.com/dchest/siphash v1.1.0
-	github.com/dgrijalva/jwt-go v3.2.1-0.20190620180102-5e25c22bd5d6+incompatible
-	github.com/fsnotify/fsnotify v1.4.9
-	github.com/go-acme/lego v2.7.2+incompatible
-	github.com/go-ozzo/ozzo-validation v3.0.3-0.20180119232150-44af65fe9adf+incompatible
-	github.com/gofrs/flock v0.7.2-0.20190320160742-5135e617513b
-	github.com/golang-migrate/migrate/v4 v4.14.1
-	github.com/google/uuid v1.1.2
-	github.com/hydrogen18/stoppableListener v0.0.0-20151210151943-dadc9ccc400c
-	github.com/influxdata/influxdb v1.1.1-0.20170104212736-6a94d200c826
-	github.com/jmoiron/sqlx v1.2.0
-	github.com/json-iterator/go v1.1.6-0.20181024152841-05d041de1043
-	github.com/kelseyhightower/envconfig v1.3.1-0.20180308190516-b2c5c876e265
-	github.com/kylelemons/godebug v1.1.1-0.20201107061927-e693023230a4
-	github.com/lestrrat-go/jwx v0.9.1-0.20190702045520-e35178ac2b1f
-	github.com/lestrrat/go-jwx v0.0.0-20171104074836-2857e17763b6
-	github.com/lib/pq v1.8.0
-	github.com/mattn/go-sqlite3 v1.14.5 // indirect
-	github.com/miekg/dns v1.0.6-0.20180406150955-01d59357d468
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.1 // indirect
-	github.com/onsi/ginkgo v1.14.2
-	github.com/onsi/gomega v1.10.3
-	github.com/pborman/getopt/v2 v2.1.0
-	github.com/pkg/errors v0.9.1
-	github.com/stretchr/testify v1.6.1 // indirect
-	go.etcd.io/bbolt v1.3.5
-	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519
-	golang.org/x/net v0.0.0-20211104170005-ce137452f963
-	golang.org/x/sys v0.0.0-20211103235746-7861aae1554b
-	golang.org/x/text v0.3.7 // indirect
-	gopkg.in/DATA-DOG/go-sqlmock.v1 v1.3.0
-	gopkg.in/asn1-ber.v1 v1.0.0-20170511165959-379148ca0225 // indirect
-	gopkg.in/ldap.v2 v2.5.1
-	gopkg.in/square/go-jose.v2 v2.3.1 // indirect
-	gopkg.in/yaml.v2 v2.3.0
-)
-
-require (
-	github.com/golang/protobuf v1.4.3 // indirect
-	github.com/hashicorp/errwrap v1.0.0 // indirect
-	github.com/hashicorp/go-multierror v1.1.0 // indirect
-	github.com/nxadm/tail v1.4.4 // indirect
-	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
-	google.golang.org/protobuf v1.25.0 // indirect
-	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
-)
5a68d18cd0c0

Changelog entry and version bump

https://github.com/apache/incubator-trafficcontrolocket8888Nov 5, 2021via osv
commit
10 files changed · +12 9
  • CHANGELOG.md+3 0 modified
    @@ -3,6 +3,9 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
+## [5.1.4] - 2021-11-05
+- Traffic Ops: Sanitize username before executing LDAP query
+
 ## [5.1.3] - 2021-10-05
 ### Changed
 - Customer names in payloads sent to the `/deliveryservices/request` Traffic Ops API endpoint can no longer contain characters besides alphanumerics, @, !, #, $, %, ^, &amp;, *, (, ), [, ], '.', ' ', and '-'. This fixes a vulnerability that allowed email content injection.
  • traffic_router/build/pom.xml+1 1 modified
    @@ -22,7 +22,7 @@
 	<parent>
 		<groupId>com.comcast.cdn.traffic_control.traffic_router</groupId>
 		<artifactId>traffic_router</artifactId>
-		<version>5.1.3</version>
+		<version>5.1.4</version>
 	</parent>
 
 	<scm>
  • traffic_router/configuration/pom.xml+1 1 modified
    @@ -25,7 +25,7 @@ under the License.
 	<parent>
 		<artifactId>traffic_router</artifactId>
 		<groupId>com.comcast.cdn.traffic_control.traffic_router</groupId>
-		<version>5.1.3</version>
+		<version>5.1.4</version>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>
  • traffic_router/connector/pom.xml+1 1 modified
    @@ -19,7 +19,7 @@
 	<parent>
 		<groupId>com.comcast.cdn.traffic_control.traffic_router</groupId>
 		<artifactId>traffic_router</artifactId>
-        <version>5.1.3</version>
+        <version>5.1.4</version>
 	</parent>
 
 	<artifactId>traffic_router_connector</artifactId>
  • traffic_router/core/pom.xml+1 1 modified
    @@ -18,7 +18,7 @@
 	<parent>
 		<groupId>com.comcast.cdn.traffic_control.traffic_router</groupId>
 		<artifactId>traffic_router</artifactId>
-		<version>5.1.3</version>
+		<version>5.1.4</version>
 	</parent>
 
 	<artifactId>ROOT</artifactId>
  • traffic_router/geolocation/pom.xml+1 1 modified
    @@ -25,7 +25,7 @@ under the License.
 	<parent>
 		<artifactId>traffic_router</artifactId>
 		<groupId>com.comcast.cdn.traffic_control.traffic_router</groupId>
-		<version>5.1.3</version>
+		<version>5.1.4</version>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>
  • traffic_router/neustar/pom.xml+1 1 modified
    @@ -25,7 +25,7 @@ under the License.
 	<parent>
 		<artifactId>traffic_router</artifactId>
 		<groupId>com.comcast.cdn.traffic_control.traffic_router</groupId>
-		<version>5.1.3</version>
+		<version>5.1.4</version>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>
  • traffic_router/pom.xml+1 1 modified
    @@ -18,7 +18,7 @@
 
 	<artifactId>traffic_router</artifactId>
 	<groupId>com.comcast.cdn.traffic_control.traffic_router</groupId>
-	<version>5.1.3</version>
+	<version>5.1.4</version>
 	<packaging>pom</packaging>
 	<name>traffic_router</name>
  • traffic_router/shared/pom.xml+1 1 modified
    @@ -25,7 +25,7 @@ under the License.
 	<parent>
 		<artifactId>traffic_router</artifactId>
 		<groupId>com.comcast.cdn.traffic_control.traffic_router</groupId>
-		<version>5.1.3</version>
+		<version>5.1.4</version>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>
  • VERSION+1 1 modified
    @@ -1 +1 @@
-5.1.3
+5.1.4

Vulnerability mechanics

Root cause

"Missing sanitization of the username parameter before it is interpolated into an LDAP filter string allows LDAP injection."

Attack vector

An unauthenticated attacker sends a POST request to the /login endpoint of any API version with a specially-crafted username field. The username is incorporated directly into an LDAP filter string without sanitization, enabling LDAP injection. By injecting LDAP metacharacters (e.g., parentheses, wildcards, or logical operators), the attacker can alter the filter's logic to bypass authentication or extract information from the LDAP directory.

Affected code

The patch does not show the specific source file where the LDAP query is constructed. However, the changelog entry in [patch_id=1666583] states that the fix sanitizes the username before executing an LDAP query, indicating the vulnerable code is in the Traffic Ops login handler that builds an LDAP filter from user-supplied input.

What the fix does

The patch [patch_id=1666583] bumps the version to 5.1.4 and adds a changelog entry stating "Traffic Ops: Sanitize username before executing LDAP query." The actual sanitization logic is not shown in the provided diff, but the changelog confirms that the fix introduces input sanitization on the username parameter before it is used to construct the LDAP filter. This prevents LDAP injection by ensuring that LDAP-special characters in the username are escaped or rejected.

Preconditions

  • configThe Traffic Ops instance must be configured to use LDAP authentication
  • authNo authentication is required; the attacker can be unauthenticated
  • networkThe attacker must be able to send HTTP POST requests to the /login endpoint
  • inputThe attacker controls the 'username' field in the POST request body

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.