Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ubuntucveUbuntu.comUB:CVE-2009-2936
HistoryApr 05, 2010 - 12:00 a.m.

CVE-2009-2936

2010-04-0500:00:00
ubuntu.com
ubuntu.com
15

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.481

Percentile

97.5%

JSON

DISPUTED The Command Line Interface (aka Server CLI or administration
interface) in the master process in the reverse proxy server in Varnish
before 2.1.0 does not require authentication for commands received through
a TCP port, which allows remote attackers to (1) execute arbitrary code via
a vcl.inline directive that provides a VCL configuration file containing
inline C code; (2) change the ownership of the master process via
param.set, stop, and start directives; (3) read the initial line of an
arbitrary file via a vcl.load directive; or (4) conduct cross-site request
forgery (CSRF) attacks that leverage a victim’s location on a trusted
network and improper input validation of directives. NOTE: the vendor
disputes this report, saying that it is “fundamentally misguided and
pointless.”

Notes

Author Note
jdstrand per Debian, “Only a security issue if used against best practices”

Related

fedora 1
metasploit 2
cvelist 1
nvd 1
securityvulns 2
attackerkb 2
prion 1
debiancve 1
packetstorm 3
cve 1
nessus 1
zdt 1
exploitdb 1
fedora
fedora
[SECURITY] Fedora 13 Update: varnish-2.1.0-2.fc13
2010-04-29 07:10:38
metasploit
metasploit
Varnish Cache CLI Login Utility
2016-11-22 03:06:20
Varnish Cache CLI File Read
2017-04-08 13:15:07
cvelist
cvelist
CVE-2009-2936
2010-04-05 16:00:00
nvd
nvd
CVE-2009-2936
2010-04-05 16:30:00
securityvulns
securityvulns
Varnish privilege escalation
2010-03-31 00:00:00
Medium security hole in Varnish reverse proxy
2010-03-31 00:00:00
attackerkb
attackerkb
CVE-2009-2936
2010-04-05 00:00:00
CVE-2007-2617
2007-05-11 00:00:00
prion
prion
Cross site request forgery (csrf)
2010-04-05 16:30:00
debiancve
debiancve
CVE-2009-2936
2010-04-05 16:30:00
packetstorm
packetstorm
Varnish Cache CLI File Read
2024-08-31 00:00:00
Varnish Cache CLI Login Utility
2024-08-31 00:00:00
Varnish Cache CLI Interface Remote Code Execution
2014-12-20 00:00:00
cve
cve
CVE-2009-2936
2010-04-05 16:30:00
nessus
nessus
Fedora 13 : varnish-2.1.0-2.fc13 (2010-6719)
2010-07-01 00:00:00
zdt
zdt
Varnish Cache CLI Interface Remote Code Execution Exploit
2014-12-21 00:00:00
exploitdb
exploitdb
Varnish Cache CLI Interface - Remote Code Execution (Metasploit)
2014-12-19 00:00:00

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.481

Percentile

97.5%

JSON
Related for UB:CVE-2009-2936
fedora1metasploit2cvelist1nvd1securityvulns2attackerkb2prion1debiancve1packetstorm3cve1nessus1zdt1exploitdb1