Lucene search

MitreCVE-2009-4488

HistoryJan 13, 2010 - 8:30 p.m.

CVE-2009-4488

2010-01-1320:30:00

CWE-20

mitre

web.nvd.nist.gov

cve-2009-4488

varnish

log file

remote code execution

http request

escape sequence

security vulnerability

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

AI Score

7.7

Confidence

Low

EPSS

0.002

Percentile

60.6%

JSON

Varnish 2.0.6 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window’s title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. NOTE: the vendor disputes the significance of this report, stating that "This is not a security problem in Varnish or any other piece of software which writes a logfile. The real problem is the mistaken belief that you can cat(1) a random logfile to your terminal safely.

Affected configurations

Nvd

Node

varnish.projects.linprovarnishMatch2.0.6

VendorProductVersionCPE
varnish.projects.linprovarnish2.0.6cpe:2.3:a:varnish.projects.linpro:varnish:2.0.6:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
varnish.projects.linpro	varnish	2.0.6	cpe:2.3:a:varnish.projects.linpro:varnish:2.0.6:::::::*

References

www.securityfocus.com/archive/1/508830/100/0/threaded

www.securityfocus.com/bid/37713

www.ush.it/team/ush/hack_httpd_escape/adv.txt

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

AI Score

7.7

Confidence

Low

EPSS

0.002

Percentile

60.6%

JSON

Related for CVE-2009-4488