-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CVE-2018-11774: Apache VCL SQL injection attack in VM management Severity: Medium Versions Affected: 2.1 through 2.5 Description: Apache VCL versions 2.1 through 2.5 do not properly validate form input when adding and removing VMs to and from hosts. The form data is then used in SQL statements. This allows for an SQL injection attack. Access to this portion of a VCL system requires admin level rights. Other layers of security seem to protect against malicious attack. However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. Mitigation: Upgrade to 2.5.1 or apply patches from https://vcl.apache.org/ security.html Credit: This vulnerability was found and reported to the Apache VCL project by ADLab of Venustech. CVE Released: July 29th, 2019 -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEI0cOQm0VAdkhDARZSNnzl+fhyFkFAl0/FJoACgkQSNnzl+fh yFmGyxAAhZm7v1xVB24RR7teFrlXMbALPZKTyjZPcqlAOC9SGIs71/A/Hvys/vPE ks1XbzDeQEvPgtU1TTy1ZmAOVi/0YQsdFaj6QSBpNx6c59dll5Yg+XAG3dnRsqbe kOwqqtiZKHuvvOw5G18ufk0NXlMs5UIPvqbjH7hVKZQ4rXSotkTiegzRWT67rY/p Qe8CT7psoS9OfIz850LGClsKvWJDXjmW8kxOXFlVKI9wyb3VB3Ziy2vDdkXtLn/t vxAkfOYB7rHfbZFi+nWnJRsrmjtpyG39qbzzS5gW2NKzwPM8paENHOfAtwg17FPW z1v6QG/X72Tjzv487Yc/hX2Ee7INY6Me5O82/V9ljCtj4UrRukmkMc1/L2RI/H8s f4FqxgNXQ6gu+gY2q7xLy+30XC6GVnIhXw+zbg19D8M67iyfEalmeiLYp3a4SVDr iDYZQ/M2HxUWqa00lkVSMYjzDBV9bzzv+06iXZWWDa1vOgbIvAVNRfnGfP/FJI/M qEPU/fURcCb9yAWGfaHF3BI6NmdoyftY/+eOFqJc7kquvE7gCirLTtnYsOMmScCs dP3I1827i8zoWWSGoUSaoDYXcjAzIgF1UfrxsY8HA8zMNwPHDElrgR7KURk8P1rD qNUwzNcsc/ecB/DYrHFuvrcFhcOhEJu3/JITTR6xcXBHqLMJMio= =w9Tn -----END PGP SIGNATURE-----
