CVE-2009-2936

CVSS V2 High 7.5 CVSS V3 None
Description
** DISPUTED ** The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitrary file via a vcl.load directive; or (4) conduct cross-site request forgery (CSRF) attacks that leverage a victim's location on a trusted network and improper input validation of directives. NOTE: the vendor disputes this report, saying that it is "fundamentally misguided and pointless."
Overview
  • CVE ID
  • CVE-2009-2936
  • Assigner
  • cve@mitre.org
  • Vulnerability Status
  • Modified
  • Published Version
  • 2010-04-05T16:30:00
  • Last Modified Date
  • 2018-10-10T19:42:46
Weakness Enumerations
CWE URL
CWE-287 http://cwe.mitre.org/data/definitions/287.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:varnish.projects.linpro:varnish:0.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:varnish.projects.linpro:varnish:0.9.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:varnish.projects.linpro:varnish:1.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:varnish.projects.linpro:varnish:1.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:varnish.projects.linpro:varnish:1.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:varnish.projects.linpro:varnish:1.0.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:varnish.projects.linpro:varnish:1.0.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:varnish.projects.linpro:varnish:1.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:varnish.projects.linpro:varnish:1.1.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:varnish.projects.linpro:varnish:1.1.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:varnish.projects.linpro:varnish:2.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:varnish.projects.linpro:varnish:2.0:beta1:*:*:*:*:*:* 1 OR
cpe:2.3:a:varnish.projects.linpro:varnish:2.0:beta2:*:*:*:*:*:* 1 OR
cpe:2.3:a:varnish.projects.linpro:varnish:2.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:varnish.projects.linpro:varnish:2.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:varnish.projects.linpro:varnish:2.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:varnish.projects.linpro:varnish:2.0.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:varnish.projects.linpro:varnish:2.0.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:varnish.projects.linpro:varnish:2.0.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:varnish.projects.linpro:varnish:2.0.6:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:N/C:P/I:P/A:P
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • PARTIAL
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • PARTIAL
  • Base Score
  • 7.5
  • Severity
  • HIGH
  • Exploitability Score
  • 10
  • Impact Score
  • 6.4
References
Reference URL Reference Tags
http://www.varnish-cache.org/changeset/3865
http://www.varnish-cache.org/wiki/CLI
http://lists.fedoraproject.org/pipermail/package-announce/2010-April/040359.html
http://www.securityfocus.com/archive/1/510368/100/0/threaded
http://www.securityfocus.com/archive/1/510360/100/0/threaded
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2009-2936
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2936
History
Created Old Value New Value Data Type Notes
2022-05-10 18:32:22 Added to TrackCVE