Description

This web application is using a caching system. By manipulating specific unkeyed inputs (headers or cookies that are not included when generating the cache key) it was possible to force the caching system to cache a response that contains user-controlled input. This cached response can be later served to a victim resulting in various vulnerabilities.

Remediation

Use the HTTP response header Vary to key unkeyed inputs and protect against web cache poisoning. Where possible, avoiding accepting input from HTTP request headers and cookies.

References

Practical Web Cache Poisoning

Vary HTTP response header

Related Vulnerabilities

WordPress admin accessible without HTTP authentication

Apache Tomcat version older than 7.0.28

qdPM Information Disclosure

IIS extended unicode directory traversal vulnerability

PHP allow_url_include enabled

Severity

High

Classification

CWE-44 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

Tags

Configuration