mailing list archives
Apache VCL improper input validation
From: Josh Thompson <jfthomps () apache org>
Date: Mon, 06 May 2013 12:32:14 -0400
CVE-2013-0267: Apache VCL improper input validation
Vendor: The Apache Software Foundation
Apache VCL 2.1, 2.2, 2.2.1, 2.3, 2.3.1
Some parts of VCL did not properly validate input data. This problem was
present both in the Privileges portion of the web GUI and in the XMLRPC API.
A malicious user having a minimal level of administrative rights could
manipulate the data submitted by the web GUI or submit non-standard data to
the API to gain additional administrative rights.
The API functions that are vulnerable were introduced in 2.3.1. Some of those
API functions can also be exploited to perform a DOS attack on the site to
remove access from other users and to perform an XSS attack to gain elevated
The vulnerabilities were found by an Apache VCL developer doing a code review.
No know exploits are in the wild at this point.
Apache VCL 2.2.2, 2.3.2
Apache VCL 2.3 and 2.3.1 users should upgrade to 2.3.2 as soon as possible.
Apache VCL 2.2 and 2.2.1 users should upgrade to 2.2.2 as soon as possible.
Apache VCL 2.1 users should upgrade to 2.2.2 or 2.3.2 as soon as possible.
Apache VCL 2.2.2 and 2.3.2 can be downloaded from
There are no complete workarounds. However, users must have at least
nodeAdmin, manageGroup, resourceGrant, or userGrant to exploit the
vulnerabilities. Removing that access from anyone that is not fully trusted
will minimized chances of an exploit against your site.
Apache VCL release manager
Description: This is a digitally signed message part.
- Apache VCL improper input validation Josh Thompson (May 06)