CVE-2024-53678 - Vulnerability Details - OpenCVE

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by the attacker. This issue affects all versions of Apache VCL from 2.2 through 2.5.1. Users are recommended to upgrade to version 2.5.2, which fixes the issue.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2025/03/24/1
https://lists.apache.org/thread/2bmjnzgjwwq59nv6xw44w0tnpz4k4pf4

History

Tue, 25 Mar 2025 10:45:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2025/03/24/1

Tue, 25 Mar 2025 09:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by the attacker. This issue affects all versions of Apache VCL from 2.2 through 2.5.1. Users are recommended to upgrade to version 2.5.2, which fixes the issue.
Title		Apache VCL: SQL injection vulnerability in New Block Allocation form
Weaknesses		CWE-89
References		https://lists.apache.org/thread/2bmjnzgjwwq59nv6xw44w0tnpz4k4pf4
Metrics		cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M'}`

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2025-03-25T09:33:36.385Z

Updated: 2025-03-25T10:03:36.518Z

Reserved: 2024-11-21T21:59:30.303Z

Link: CVE-2024-53678

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-03-25T10:15:13.303

Modified: 2025-03-25T10:15:13.303

Link: CVE-2024-53678

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-53678", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-11-21T21:59:30.303Z", "datePublished": "2025-03-25T09:33:36.385Z", "dateUpdated": "2025-03-25T10:03:36.518Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache VCL", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.5.1", "status": "affected", "version": "2.2", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Chiencp and Nothing from TeamTonTac"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by the attacker.</p><p>This issue affects all versions of Apache VCL from 2.2 through 2.5.1.</p><p>Users are recommended to upgrade to version 2.5.2, which fixes the issue.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by the attacker.\n\nThis issue affects all versions of Apache VCL from 2.2 through 2.5.1.\n\nUsers are recommended to upgrade to version 2.5.2, which fixes the issue."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-03-25T09:33:36.385Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/2bmjnzgjwwq59nv6xw44w0tnpz4k4pf4"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache VCL: SQL injection vulnerability in New Block Allocation form", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/03/24/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-03-25T10:03:36.518Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by the attacker.\n\nThis issue affects all versions of Apache VCL from 2.2 through 2.5.1.\n\nUsers are recommended to upgrade to version 2.5.2, which fixes the issue."}], "id": "CVE-2024-53678", "lastModified": "2025-03-25T10:15:13.303", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "source": "security@apache.org", "type": "Secondary"}]}, "published": "2025-03-25T10:15:13.303", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/2bmjnzgjwwq59nv6xw44w0tnpz4k4pf4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/03/24/1"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@apache.org", "type": "Primary"}]}