SQL Injection Vulnerability in Apache VCL's Privilege Management
CVE-2018-11772

7.2HIGH

Key Information:

Vendor: Apache
Status: Vcl
Vendor: CVE Published:; 29 July 2019

Summary

Versions 2.1 to 2.5 of Apache VCL have a vulnerability that allows for SQL injection due to the inadequate validation of cookie inputs within the privilege management system. Although other security measures are present, admin level access is necessary to exploit this flaw. Users are highly encouraged to update to version 2.5.1 or later to mitigate this risk. The vulnerability was reported to the Apache VCL project by ADLab of Venustech.

Affected Version(s)

VCL 2.1 through 2.5

References

https://lists.apache.org/thread.html/a468c473b4c418307b98...

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/ffde9f87d0730ba6d4e1...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 29, 2019
Vulnerability Reserved
Jun 5, 2018