You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@vcl.apache.org by Josh Thompson <jf...@apache.org> on 2019/07/29 15:45:30 UTC
[CVE-2018-11774] Apache VCL SQL injection attack in VM management
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
CVE-2018-11774: Apache VCL SQL injection attack in VM management
Severity: Medium
Versions Affected: 2.1 through 2.5
Description: Apache VCL versions 2.1 through 2.5 do not properly validate form
input when adding and removing VMs to and from hosts. The form data is then
used in SQL statements. This allows for an SQL injection attack. Access to
this portion of a VCL system requires admin level rights. Other layers of
security seem to protect against malicious attack. However, all VCL systems
running versions earlier than 2.5.1 should be upgraded or patched.
Mitigation: Upgrade to 2.5.1 or apply patches from https://vcl.apache.org/
security.html
Credit: This vulnerability was found and reported to the Apache VCL project by
ADLab of Venustech.
CVE Released: July 29th, 2019
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEI0cOQm0VAdkhDARZSNnzl+fhyFkFAl0/FJoACgkQSNnzl+fh
yFmGyxAAhZm7v1xVB24RR7teFrlXMbALPZKTyjZPcqlAOC9SGIs71/A/Hvys/vPE
ks1XbzDeQEvPgtU1TTy1ZmAOVi/0YQsdFaj6QSBpNx6c59dll5Yg+XAG3dnRsqbe
kOwqqtiZKHuvvOw5G18ufk0NXlMs5UIPvqbjH7hVKZQ4rXSotkTiegzRWT67rY/p
Qe8CT7psoS9OfIz850LGClsKvWJDXjmW8kxOXFlVKI9wyb3VB3Ziy2vDdkXtLn/t
vxAkfOYB7rHfbZFi+nWnJRsrmjtpyG39qbzzS5gW2NKzwPM8paENHOfAtwg17FPW
z1v6QG/X72Tjzv487Yc/hX2Ee7INY6Me5O82/V9ljCtj4UrRukmkMc1/L2RI/H8s
f4FqxgNXQ6gu+gY2q7xLy+30XC6GVnIhXw+zbg19D8M67iyfEalmeiLYp3a4SVDr
iDYZQ/M2HxUWqa00lkVSMYjzDBV9bzzv+06iXZWWDa1vOgbIvAVNRfnGfP/FJI/M
qEPU/fURcCb9yAWGfaHF3BI6NmdoyftY/+eOFqJc7kquvE7gCirLTtnYsOMmScCs
dP3I1827i8zoWWSGoUSaoDYXcjAzIgF1UfrxsY8HA8zMNwPHDElrgR7KURk8P1rD
qNUwzNcsc/ecB/DYrHFuvrcFhcOhEJu3/JITTR6xcXBHqLMJMio=
=w9Tn
-----END PGP SIGNATURE-----