-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CVE-2018-11772: Apache VCL SQL injection attack in privilege management Severity: Medium Versions Affected: 2.1 through 2.5 Description: Apache VCL versions 2.1 through 2.5 do not properly validate cookie input when determining what node (if any) was previously selected in the privilege tree. The cookie data is then used in an SQL statement. This allows for an SQL injection attack. Access to this portion of a VCL system requires admin level rights. Other layers of security seem to protect against malicious attack. However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. Mitigation: Upgrade to 2.5.1 or apply patches from https://vcl.apache.org/ security.html Credit: This vulnerability was found and reported to the Apache VCL project by ADLab of Venustech. CVE Released: July 29th, 2019 -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEI0cOQm0VAdkhDARZSNnzl+fhyFkFAl0/FIMACgkQSNnzl+fh yFmelA/9GKo+CVU6ewSg8wz4bDVgtJxeydUybcBUIYvJm+aPzso6ki7gxl7SnBip lQO4j0euJDDueufA3/dGlL+q0OxUW1R5Roc5UT+gOWTzU7xdVjMeoYvsw7HG8JYl EbgGX0aty7HR97+YQlnRst0lkIjjJQGfLA4/hORIw+gfoteRvHJJvO4VfmUAqLrK R9HuSwZjurp7mzkShbku0EkS85UvW9yE0UrFgYE4ICugyk4dQ2VmGvVs65EulFFC n7yQITNTl7Wvqg1BYs6njQ65f3iXZy40P8DRZvW2t4nNCexmkEXoMANXYCCWbKqs q0J4tLY2bVtmb91CX5JgNKm/GQJU6k8lY3MP68Hrn/gr0S2QdUmfEOvqVy9vA3lG ON+bnyp5pY789pKhKKPAxY7qomYJd1nvj+/StarfERWib+ySF8E+FPuyxYySzHdZ qCrdBabmIYHgHinvkoaD+CecVr9ZMAmlfMBAQl6RThgsh4AIz7m83tqVYRwLiJ96 LgaCr6NGFgnFNSYzOv+MeT57DSJweoQSwIDZk0/OBzxwJ3N4H2yaBGGCa4loa4O0 qtCbxjlZBchBXO7A7ZHy6UulQwaeIUG8N01pVdhlYTCQTiVWM4+8ORKMMZUP0DEF FFj1wtDNl+wjZ0mA4d4Ubb3KKnFR4P8emV8u64VtXyB7pWJlDjE= =hEC1 -----END PGP SIGNATURE-----
