SQL Injection Vulnerability in Apache VCL Versions 2.1 to 2.5
CVE-2018-11774

7.2HIGH

Key Information:

Vendor: Apache
Status: Vcl
Vendor: CVE Published:; 29 July 2019

What is CVE-2018-11774?

Apache VCL versions 2.1 through 2.5 have a security flaw involving improper validation of form inputs during the addition and removal of virtual machines (VMs) from hosts. This weakness can lead to SQL injection attacks, as maliciously crafted input can be executed in SQL statements. Though access to this component of the VCL system requires administrative privileges, which offers a layer of security, systems running versions earlier than 2.5.1 should be promptly upgraded or patched to eliminate this risk.

Affected Version(s)

VCL 2.1 through 2.5

References

https://lists.apache.org/thread.html/8f90e00910d1ee3d850e...

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/14486ee999650f72c166...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 29, 2019
Vulnerability Reserved
Jun 5, 2018