CVE-2018-11773

EPSS 0.88%
Published 29.07.2019 19:15:11
Last modified 21.11.2024 03:44:00
Source security@apache.org
Teams watchlist Login
Open Login

Apache VCL versions 2.1 through 2.5 do not properly validate form input when processing a submitted block allocation. The form data is then used as an argument to the php built in function strtotime. This allows for an attack against the underlying implementation of that function. The implementation of strtotime at the time the issue was discovered appeared to be resistant to a malicious attack. However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. This vulnerability was found and reported to the Apache VCL project by ADLab of Venustech.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Virtual Computing Lab Version >= 2.1 <= 2.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.88%	0.732

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://lists.apache.org/thread.html/8f3284afbcb4b87ed107dac98603020c23a379c687858b41da763147%40%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/db71c4edc21ecb834cf20e3ee23ffac5d37f32e7eb67257a413bf878%40%3Cdev.vcl.apache.org%3E

https://nvd.nist.gov/vuln/detail/CVE-2018-11773

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-11773

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-11773

EUVD