7.5

CVE-2009-2936

EPSS 68.39%
Veröffentlicht 05.04.2010 16:30:00
Zuletzt bearbeitet 11.04.2025 00:51:21
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitrary file via a vcl.load directive; or (4) conduct cross-site request forgery (CSRF) attacks that leverage a victim's location on a trusted network and improper input validation of directives.  NOTE: the vendor disputes this report, saying that it is "fundamentally misguided and pointless.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Varnish.Projects.Linpro ≫ Varnish Version0.9

Varnish.Projects.Linpro ≫ Varnish Version0.9.1

Varnish.Projects.Linpro ≫ Varnish Version1.0

Varnish.Projects.Linpro ≫ Varnish Version1.0.1

Varnish.Projects.Linpro ≫ Varnish Version1.0.2

Varnish.Projects.Linpro ≫ Varnish Version1.0.3

Varnish.Projects.Linpro ≫ Varnish Version1.0.4

Varnish.Projects.Linpro ≫ Varnish Version1.1

Varnish.Projects.Linpro ≫ Varnish Version1.1.1

Varnish.Projects.Linpro ≫ Varnish Version1.1.2

Varnish.Projects.Linpro ≫ Varnish Version2.0

Varnish.Projects.Linpro ≫ Varnish Version2.0 Updatebeta1

Varnish.Projects.Linpro ≫ Varnish Version2.0 Updatebeta2

Varnish.Projects.Linpro ≫ Varnish Version2.0 Updaterc1

Varnish.Projects.Linpro ≫ Varnish Version2.0.1

Varnish.Projects.Linpro ≫ Varnish Version2.0.2

Varnish.Projects.Linpro ≫ Varnish Version2.0.3

Varnish.Projects.Linpro ≫ Varnish Version2.0.4

Varnish.Projects.Linpro ≫ Varnish Version2.0.5

Varnish.Projects.Linpro ≫ Varnish Version2.0.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	68.39%	0.984

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

http://lists.fedoraproject.org/pipermail/package-announce/2010-April/040359.html

http://www.securityfocus.com/archive/1/510360/100/0/threaded

http://www.securityfocus.com/archive/1/510368/100/0/threaded

http://www.varnish-cache.org/changeset/3865

http://www.varnish-cache.org/wiki/CLI

https://nvd.nist.gov/vuln/detail/CVE-2009-2936

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2009-2936

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2009-2936

EUVD