CVE-2018-11773

CWE-20Improper Input Validation3 documents3 sources
Severity
9.8CRITICAL
EPSS
0.9%
top 24.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Virtual Computing LABApache VCL
Timeline
PublishedJul 29
Latest updateMay 24

Description

Apache VCL versions 2.1 through 2.5 do not properly validate form input when processing a submitted block allocation. The form data is then used as an argument to the php built in function strtotime. This allows for an attack against the underlying implementation of that function. The implementation of strtotime at the time the issue was discovered appeared to be resistant to a malicious attack. However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. This vuln

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5apache/vcl2.1 through 2.5

🔴Vulnerability Details

2
GHSA
GHSA-wmc6-cwxh-j3rp: Apache VCL versions 22022-05-24
CVEList
CVE-2018-11773: Apache VCL versions 22019-07-29
CVE-2018-11773 (CRITICAL CVSS 9.8) | Apache VCL versions 2.1 through 2.5 | cvebase.io