HIGH🇬🇧 English

CVE-2009-2936

CVSS 7.5v2.0pub. 2010-04-05upd. 2026-04-29

The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitrary file via a vcl.load directive; or (4) conduct cross-site request forgery (CSRF) attacks that leverage a victim's location on a trusted network and improper input validation of directives. NOTE: the vendor disputes this report, saying that it is "fundamentally misguided and pointless.

oryginał EN
CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
  • Varnish.projects.linpro Varnish

    APP
    Varnish.Projects.Linpro
    0.90.9.11.01.0.11.0.21.0.31.0.41.11.1.11.1.22.02.0.12.0.22.0.32.0.4+ 2 więcej
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
RCEAuth Bypass
CWE
Referencje

Powiązane podatności

CVE-2009-4488CRITICAL9.8ten sam produkt

Varnish 2.0.6 writes data to a log file without sanitizing non-printable characters, which might allow remote ...