Attacker Value
Very Low
(1 user assessed)
(1 user assessed)
User Interaction
Privileges Required
Attack Vector


Disclosure Date: April 05, 2010
Add MITRE ATT&CK tactics and techniques that apply to this CVE.


** DISPUTED ** The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitrary file via a vcl.load directive; or (4) conduct cross-site request forgery (CSRF) attacks that leverage a victim’s location on a trusted network and improper input validation of directives. NOTE: the vendor disputes this report, saying that it is “fundamentally misguided and pointless.”

Add Assessment

  • Attacker Value
    Very Low
  • Exploitability
Technical Analysis

The (3) part of this does seem to be true, using vcl.load and supplying it a file will attempt to load the file. Because the file is most likely NOT a vcl file, the file will fail to load, however the error message echoed back to the user includes the first line of the file.
While you are able to read an arbitrary file, you’ll only get the first line, YMMV. The process is most likely also not running as root, so /etc/shadow where the first line would be great most likely won’t happen.

General Information

Technical Analysis