CVE-2018-11772

7.2HIGH

Key Information:

Vendor: Apache
Status: Vcl
Vendor: CVE Published:; 29 July 2019

Summary

Apache VCL versions 2.1 through 2.5 do not properly validate cookie input when determining what node (if any) was previously selected in the privilege tree. The cookie data is then used in an SQL statement. This allows for an SQL injection attack. Access to this portion of a VCL system requires admin level rights. Other layers of security seem to protect against malicious attack. However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. This vulnerability was found and reported to the Apache VCL project by ADLab of Venustech.

Affected Version(s)

VCL 2.1 through 2.5

References

https://lists.apache.org/thread.html/a468c473b4c418307b98...

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/ffde9f87d0730ba6d4e1...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 29, 2019
Vulnerability Reserved
Jun 5, 2018