CVE-2009-2936
Description
The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitrary file via a vcl.load directive; or (4) conduct cross-site request forgery (CSRF) attacks that leverage a victim's location on a trusted network and improper input validation of directives. NOTE: the vendor disputes this report, saying that it is "fundamentally misguided and pointless.
How to fix CVE-2009-2936
To remediate CVE-2009-2936, upgrade the affected package to a fixed version below.
- —upgrade to 2.1.0-2 or later
Is CVE-2009-2936 being exploited?
Likely — EPSS is 68.4%, placing CVE-2009-2936 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (1)
- from 0, < 2.1.0-2