Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ubuntucveUbuntu.comUB:CVE-2009-2936
HistoryApr 05, 2010 - 12:00 a.m.

CVE-2009-2936

2010-04-0500:00:00
ubuntu.com
ubuntu.com
8

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.501 Medium

EPSS

Percentile

97.5%

JSON

DISPUTED The Command Line Interface (aka Server CLI or administration
interface) in the master process in the reverse proxy server in Varnish
before 2.1.0 does not require authentication for commands received through
a TCP port, which allows remote attackers to (1) execute arbitrary code via
a vcl.inline directive that provides a VCL configuration file containing
inline C code; (2) change the ownership of the master process via
param.set, stop, and start directives; (3) read the initial line of an
arbitrary file via a vcl.load directive; or (4) conduct cross-site request
forgery (CSRF) attacks that leverage a victim’s location on a trusted
network and improper input validation of directives. NOTE: the vendor
disputes this report, saying that it is “fundamentally misguided and
pointless.”

Notes

Author Note
jdstrand per Debian, “Only a security issue if used against best practices”

Related

fedora 1
securityvulns 2
prion 1
attackerkb 2
cve 1
debiancve 1
nessus 1
packetstorm 1
zdt 1
fedora
fedora
[SECURITY] Fedora 13 Update: varnish-2.1.0-2.fc13
2010-04-29 07:10:38
securityvulns
securityvulns
Varnish privilege escalation
2010-03-31 00:00:00
Medium security hole in Varnish reverse proxy
2010-03-31 00:00:00
prion
prion
Cross site request forgery (csrf)
2010-04-05 16:30:00
attackerkb
attackerkb
CVE-2009-2936
2010-04-05 00:00:00
CVE-2007-2617
2007-05-11 00:00:00
cve
cve
CVE-2009-2936
2010-04-05 16:30:00
debiancve
debiancve
CVE-2009-2936
2010-04-05 16:30:00
nessus
nessus
Fedora 13 : varnish-2.1.0-2.fc13 (2010-6719)
2010-07-01 00:00:00
packetstorm
packetstorm
Varnish Cache CLI Interface Remote Code Execution
2014-12-20 00:00:00
zdt
zdt
Varnish Cache CLI Interface Remote Code Execution Exploit
2014-12-21 00:00:00

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.501 Medium

EPSS

Percentile

97.5%

JSON
Related for UB:CVE-2009-2936
fedora1securityvulns2prion1attackerkb2cve1debiancve1nessus1packetstorm1zdt1