CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
97.5%
DISPUTED The Command Line Interface (aka Server CLI or administration
interface) in the master process in the reverse proxy server in Varnish
before 2.1.0 does not require authentication for commands received through
a TCP port, which allows remote attackers to (1) execute arbitrary code via
a vcl.inline directive that provides a VCL configuration file containing
inline C code; (2) change the ownership of the master process via
param.set, stop, and start directives; (3) read the initial line of an
arbitrary file via a vcl.load directive; or (4) conduct cross-site request
forgery (CSRF) attacks that leverage a victim’s location on a trusted
network and improper input validation of directives. NOTE: the vendor
disputes this report, saying that it is “fundamentally misguided and
pointless.”
Author | Note |
---|---|
jdstrand | per Debian, “Only a security issue if used against best practices” |