NVD

Id
50157  
Name
CVE-2009-2936  
Description
** DISPUTED ** The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitrary file via a vcl.load directive; or (4) conduct cross-site request forgery (CSRF) attacks that leverage a victim"s location on a trusted network and improper input validation of directives. NOTE: the vendor disputes this report, saying that it is "fundamentally misguided and pointless."  
Reject
 
CVSS Version
2  
CVSS Score
7.5  
Severity
High  
CVSS Base Score
7.5  
CVSS Impact Subscore
6.4  
CVSS Exploit Subscore
10  
CVSS Vector
(AV:N/AC:L/Au:N/C:P/I:P/A:P)  
Pub Date
2017-01-07  
Published
2010-04-05  
Modified Date
2010-05-06  
Seq
2009-2936  

Actions

Related NVD References

Id NVD Id NVD No. Reference Actions
253868 50157 CVE-2009-2936 FEDORA-2010-6719  View
253869 50157 CVE-2009-2936 20100329 Medium security hole in Varnish reverse proxy  View
253870 50157 CVE-2009-2936 20100329 Re: [Full-disclosure] Medium security hole in Varnish reverse proxy  View
253871 50157 CVE-2009-2936 http://www.varnish-cache.org/changeset/3865  View
253872 50157 CVE-2009-2936 http://www.varnish-cache.org/wiki/CLI  View

Related JVN