Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2009-2936 — Improper Authentication in Varnish
Severity
7.5HIGHNVD
EPSS
68.4%
top 1.39%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedApr 5
Latest updateMay 2
Description
The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitr…
CVSS vector
AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4
Affected Packages2 packages
🔴Vulnerability Details
3GHSA▶
GHSA-vq42-25hh-c536: ** DISPUTED ** The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish be↗2022-05-02
OSV▶
CVE-2009-2936: The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2↗2010-04-05
CVEList▶
CVE-2009-2936: The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2↗2010-04-05
💥Exploits & PoCs
3📋Vendor Advisories
1Debian▶
CVE-2009-2936: varnish - The Command Line Interface (aka Server CLI or administration interface) in the m...↗2009