cvelistv5 - CVE-2024-53678

CVE-2024-53678 (GCVE-0-2024-53678)

Vulnerability from cvelistv5 – Published: 2025-03-25 09:33 – Updated: 2025-03-31 16:23

Title

Apache VCL: SQL injection vulnerability in New Block Allocation form

Summary

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by the attacker. This issue affects all versions of Apache VCL from 2.2 through 2.5.1. Users are recommended to upgrade to version 2.5.2, which fixes the issue.

Severity ?

5.1 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/2bmjnzgjwwq59nv6x…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache VCL	Affected: 2.2 , ≤ 2.5.1 (semver)

Credits

Chiencp and Nothing from TeamTonTac

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-03-25T10:03:36.518Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/03/24/1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-53678",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-31T16:23:09.406932Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-31T16:23:19.825Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache VCL",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.5.1",
              "status": "affected",
              "version": "2.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Chiencp and Nothing from TeamTonTac"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by the attacker.\u003c/p\u003e\u003cp\u003eThis issue affects all versions of Apache VCL from 2.2 through 2.5.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.5.2, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by the attacker.\n\nThis issue affects all versions of Apache VCL from 2.2 through 2.5.1.\n\nUsers are recommended to upgrade to version 2.5.2, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-25T09:33:36.385Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/2bmjnzgjwwq59nv6xw44w0tnpz4k4pf4"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache VCL: SQL injection vulnerability in New Block Allocation form",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-53678",
    "datePublished": "2025-03-25T09:33:36.385Z",
    "dateReserved": "2024-11-21T21:59:30.303Z",
    "dateUpdated": "2025-03-31T16:23:19.825Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-53678\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2025-03-25T10:15:13.303\",\"lastModified\":\"2025-07-14T18:06:14.600\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by the attacker.\\n\\nThis issue affects all versions of Apache VCL from 2.2 through 2.5.1.\\n\\nUsers are recommended to upgrade to version 2.5.2, which fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de neutralizaci\u00f3n incorrecta de elementos especiales en una instrucci\u00f3n SQL (\u0027Inyecci\u00f3n SQL\u0027) en Apache VCL. Los usuarios pueden modificar los datos del formulario enviado al solicitar una nueva asignaci\u00f3n de bloque, modificando as\u00ed una sentencia SQL SELECT. El atacante no puede ver los datos devueltos por la sentencia SELECT. Este problema afecta a todas las versiones de Apache VCL, desde la 2.2 hasta la 2.5.1. Se recomienda actualizar a la versi\u00f3n 2.5.2, que soluciona el problema.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:X\",\"baseScore\":5.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"MODERATE\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:vcl:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.2\",\"versionEndExcluding\":\"2.5.2\",\"matchCriteriaId\":\"013BB250-DD4B-4949-9C3E-F0C0E9DE1F6C\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/2bmjnzgjwwq59nv6xw44w0tnpz4k4pf4\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\",\"Issue Tracking\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/03/24/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/03/24/1\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-03-25T10:03:36.518Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-53678\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-31T16:23:09.406932Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-31T16:23:15.871Z\"}}], \"cna\": {\"title\": \"Apache VCL: SQL injection vulnerability in New Block Allocation form\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Chiencp and Nothing from TeamTonTac\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.1, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"MODERATE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache VCL\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.2\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"2.5.1\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/2bmjnzgjwwq59nv6xw44w0tnpz4k4pf4\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by the attacker.\\n\\nThis issue affects all versions of Apache VCL from 2.2 through 2.5.1.\\n\\nUsers are recommended to upgrade to version 2.5.2, which fixes the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eImproper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by the attacker.\u003c/p\u003e\u003cp\u003eThis issue affects all versions of Apache VCL from 2.2 through 2.5.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.5.2, which fixes the issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2025-03-25T09:33:36.385Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-53678\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-31T16:23:19.825Z\", \"dateReserved\": \"2024-11-21T21:59:30.303Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2025-03-25T09:33:36.385Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-53678

Vulnerability from fkie_nvd - Published: 2025-03-25 10:15 - Updated: 2025-07-14 18:06

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security@apache.org	https://lists.apache.org/thread/2bmjnzgjwwq59nv6xw44w0tnpz4k4pf4	Issue Tracking, Mailing List, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2025/03/24/1	Mailing List, Third Party Advisory

Impacted products

	Vendor	Product	Version
	apache	vcl	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:vcl:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "013BB250-DD4B-4949-9C3E-F0C0E9DE1F6C",
              "versionEndExcluding": "2.5.2",
              "versionStartIncluding": "2.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by the attacker.\n\nThis issue affects all versions of Apache VCL from 2.2 through 2.5.1.\n\nUsers are recommended to upgrade to version 2.5.2, which fixes the issue."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de neutralizaci\u00f3n incorrecta de elementos especiales en una instrucci\u00f3n SQL (\u0027Inyecci\u00f3n SQL\u0027) en Apache VCL. Los usuarios pueden modificar los datos del formulario enviado al solicitar una nueva asignaci\u00f3n de bloque, modificando as\u00ed una sentencia SQL SELECT. El atacante no puede ver los datos devueltos por la sentencia SELECT. Este problema afecta a todas las versiones de Apache VCL, desde la 2.2 hasta la 2.5.1. Se recomienda actualizar a la versi\u00f3n 2.5.2, que soluciona el problema."
    }
  ],
  "id": "CVE-2024-53678",
  "lastModified": "2025-07-14T18:06:14.600",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.1,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "HIGH",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "MODERATE"
        },
        "source": "security@apache.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-25T10:15:13.303",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Issue Tracking",
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/2bmjnzgjwwq59nv6xw44w0tnpz4k4pf4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2025/03/24/1"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}

CNVD-2025-30844

Vulnerability from cnvd - Published: 2025-12-17

Title

Apache VCL SQL注入漏洞

Description

Apache VCL是美国阿帕奇（Apache）基金会的一套开源的云计算平台。 Apache VCL 2.2至2.5.1版本存在SQL注入漏洞，该漏洞源于SQL命令中特殊元素的中和不当，攻击者可利用该漏洞导致用户修改表单数据以修改SELECT SQL语句。

Severity

高

Patch Name

Apache VCL SQL注入漏洞的补丁

Patch Description

Apache VCL是美国阿帕奇（Apache）基金会的一套开源的云计算平台。 Apache VCL 2.2至2.5.1版本存在SQL注入漏洞，该漏洞源于SQL命令中特殊元素的中和不当，攻击者可利用该漏洞导致用户修改表单数据以修改SELECT SQL语句。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/2bmjnzgjwwq59nv6xw44w0tnpz4k4pf4

Reference

http://www.openwall.com/lists/oss-security/2025/03/24/1

Impacted products

Name
Apache Apache VCL >=2.2，<=2.5.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-53678",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-53678"
    }
  },
  "description": "Apache VCL\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u5f00\u6e90\u7684\u4e91\u8ba1\u7b97\u5e73\u53f0\u3002\n\nApache VCL 2.2\u81f32.5.1\u7248\u672c\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eSQL\u547d\u4ee4\u4e2d\u7279\u6b8a\u5143\u7d20\u7684\u4e2d\u548c\u4e0d\u5f53\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u7528\u6237\u4fee\u6539\u8868\u5355\u6570\u636e\u4ee5\u4fee\u6539SELECT SQL\u8bed\u53e5\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/2bmjnzgjwwq59nv6xw44w0tnpz4k4pf4",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-30844",
  "openTime": "2025-12-17",
  "patchDescription": "Apache VCL\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u5f00\u6e90\u7684\u4e91\u8ba1\u7b97\u5e73\u53f0\u3002\r\n\r\nApache VCL 2.2\u81f32.5.1\u7248\u672c\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eSQL\u547d\u4ee4\u4e2d\u7279\u6b8a\u5143\u7d20\u7684\u4e2d\u548c\u4e0d\u5f53\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u7528\u6237\u4fee\u6539\u8868\u5355\u6570\u636e\u4ee5\u4fee\u6539SELECT SQL\u8bed\u53e5\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache VCL SQL\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Apache VCL \u003e=2.2\uff0c\u003c=2.5.1"
  },
  "referenceLink": "http://www.openwall.com/lists/oss-security/2025/03/24/1",
  "serverity": "\u9ad8",
  "submitTime": "2025-03-27",
  "title": "Apache VCL SQL\u6ce8\u5165\u6f0f\u6d1e"
}

GHSA-FWRX-WPPX-25WM

Vulnerability from github – Published: 2025-03-25 12:30 – Updated: 2025-07-14 18:30

Details

This issue affects all versions of Apache VCL from 2.2 through 2.5.1.

Users are recommended to upgrade to version 2.5.2, which fixes the issue.

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

5.1 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-53678"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-25T10:15:13Z",
    "severity": "MODERATE"
  },
  "details": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by the attacker.\n\nThis issue affects all versions of Apache VCL from 2.2 through 2.5.1.\n\nUsers are recommended to upgrade to version 2.5.2, which fixes the issue.",
  "id": "GHSA-fwrx-wppx-25wm",
  "modified": "2025-07-14T18:30:35Z",
  "published": "2025-03-25T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53678"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/2bmjnzgjwwq59nv6xw44w0tnpz4k4pf4"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/03/24/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-53678 (GCVE-0-2024-53678)

FKIE_CVE-2024-53678

CNVD-2025-30844

GHSA-FWRX-WPPX-25WM

Tags

Sightings

Nomenclature