Improper Input Validation in Apache VCL Affecting Multiple Versions
CVE-2018-11773

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Vcl
Vendor: CVE Published:; 29 July 2019

Summary

Apache VCL versions ranging from 2.1 to 2.5 are susceptible to an input validation flaw during the processing of block allocation submissions. When users submit forms, the unvalidated data is passed to the PHP function strtotime, which can lead to unexpected behavior and potential exploitation. Early analyses indicated that the implementation of strtotime seemed resilient to attacks, but it is crucial for users operating VCL versions prior to 2.5.1 to apply the necessary upgrades or patches to mitigate this vulnerability. The issue was identified and reported by ADLab of Venustech.

Affected Version(s)

VCL 2.1 through 2.5

References

https://lists.apache.org/thread.html/db71c4edc21ecb834cf2...

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/8f3284afbcb4b87ed107...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 29, 2019
Vulnerability Reserved
Jun 5, 2018