Apache VCL Security

Security Issues

The Apache Software Foundation takes security issues seriously and has a security team that helps Apache projects work through security issues. If you discover any potential vulnerabilities in Apache VCL, please report them to security@apache.org.

Known Security Issues

Here is a list of known security issues with Apache VCL along with the versions affected, versions in which they were fixed, and information on patching vulnerable versions.

CVE-2024-53679

• Announced: March 24th, 2025

• Affected versions: versions 2.1 through 2.5.1

• Fixed in version: 2.5.2

• Installing patches

• Problem type: XSS attack

• Description:

  Apache VCL versions 2.1 through 2.5.1 do not properly validate data entered into the User Lookup form on the site. A user with sufficient rights to be able to view this part of the site can craft a URL or be tricked in to clicking a URL that will give a specified user elevated rights. Access to the User Lookup part of the site is typically only granted to administrative users which should help limit who can exploit this vulnerability. However, all VCL systems running versions earlier than 2.5.2 should be upgraded or patched. This vulnerability was found and reported to the Apache VCL project by Chiencp and Nothing from TeamTonTac

CVE-2024-53678

• Announced: March 24th, 2025

• Affected versions: versions 2.2 through 2.5.1

• Fixed in version: 2.5.2

• Installing patches

• Problem type: SQL injection

• Description:

  Apache VCL versions 2.2 through 2.5.1 do not properly validate data submitted in the Block Allocation request form. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by the attacker. However, this can still be used to gain some knowledge of data in the database. Any user with an account on a VCL system has access to submit this form. All VCL systems running versions earlier than 2.5.2 should be upgraded or patched. This vulnerability was found and reported to the Apache VCL project by Chiencp and Nothing from TeamTonTac

CVE-2018-11774

• Announced: July 29th, 2019

• Affected versions: versions 2.1 through 2.5

• Fixed in version: 2.5.1

• Installing patches

• Problem type: SQL Injection

• Description:

  Apache VCL versions 2.1 through 2.5 do not properly validate form input when adding and removing VMs to and from hosts. The form data is then used in SQL statements. This allows for an SQL injection attack. Access to this portion of a VCL system requires admin level rights.
  Other layers of security seem to protect against malicious attack. However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. This vulnerability was found and reported to the Apache VCL project by ADLab of Venustech.

CVE-2018-11773

• Announced: July 29th, 2019

• Affected versions: versions 2.1 through 2.5

• Fixed in version: 2.5.1

• Installing patches

• Problem type: improper form validation

• Description:

  Apache VCL versions 2.1 through 2.5 do not properly validate form input when processing a submitted block allocation. The form data is then used as an argument to the php built in function strtotime. This allows for an attack against the underlying implementation of that function. The implementation of strtotime at the time the issue was discovered appeared to be resistant to a malicious attack. However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. This vulnerability was found and reported to the Apache VCL project by ADLab of Venustech.

CVE-2018-11772

• Announced: July 29th, 2019

• Affected versions: versions 2.1 through 2.5

• Fixed in version: 2.5.1

• Installing patches

• Problem type: SQL injection

• Description:

  Apache VCL versions 2.1 through 2.5 do not properly validate cookie input when determining what node (if any) was previously selected in the privilege tree. The cookie data is then used in an SQL statement. This allows for an SQL injection attack. Access to this portion of a VCL system requires admin level rights. Other layers of security seem to protect against malicious attack. However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. This vulnerability was found and reported to the Apache VCL project by ADLab of Venustech.

CVE-2013-0267

• Announced: May 6th, 2013

• Affected versions: versions 2.1, 2.2, 2.2.1, 2.3, 2.3.1

• Fixed in version: 2.2.2, 2.3.2

• Problem type: improper input validation

• Description:

  Some parts of VCL did not properly validate input data. This problem was present both in the Privileges portion of the web GUI and in the XMLRPC API.

  A malicious user having a minimal level of administrative rights could manipulate the data submitted by the web GUI or submit non-standard data to the API to gain additional administrative rights.

  The API functions that are vulnerable were introduced in 2.3.1. Some of those API functions can also be exploited to perform a DOS attack on the site to remove access from other users and to perform an XSS attack to gain elevated privileges.

  The vulnerabilities were found by an Apache VCL developer doing a code review.