CVE-2024-53678
Published: 25 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-53678 is an SQL injection vulnerability (CWE-89) in Apache VCL, stemming from improper neutralization of special elements in SQL commands. It affects all versions from 2.2 through 2.5.1 and occurs when users modify form data submitted for requesting a new Block Allocation, allowing alteration of a SELECT SQL statement. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Authenticated users with low privileges (PR:L) can exploit this over the network with low complexity and no user interaction required. By injecting malicious payloads into the form data, attackers can modify the SELECT statement, potentially leading to high impacts on confidentiality, integrity, and availability, though the description notes that data returned by the modified query is not directly viewable by the attacker.
Apache recommends upgrading to version 2.5.2, which resolves the issue. Detailed advisories are available in the Apache mailing list announcement at https://lists.apache.org/thread/2bmjnzgjwwq59nv6xw44w0tnpz4k4pf4 and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2025/03/24/1.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in a network-accessible web application (Apache VCL form handling) directly maps to exploitation of the application for initial access or impact.