CVE-2013-4090: 
Linux Debian vulnerability analysis and mitigation

Varnish HTTP cache before version 3.0.4 contained an Access Control List (ACL) bug identified as CVE-2013-4090. The vulnerability was discovered and disclosed in June 2013, affecting all versions of Varnish HTTP cache prior to the 3.0.4 release (Varnish Announce). The vulnerability received a CVSS v3.1 base score of 7.5 (HIGH) (NVD).

The vulnerability stems from two bugs in the code that compiles VCL ACLs into C code. The issue specifically affects non-class CIDR ACL entries (i.e., /xx except /8, /16, /24) when more specific ACL entries are present. When the CIDR split byte matches a more specific entry, the CIDR mask is rounded up to a byte boundary, causing the ACL to match less than it should. In cases where the CIDR split byte does not match the more specific entry, the CIDR entry is ignored where the split byte matches the tested IP number (Varnish Announce).

The primary impact of this vulnerability is that ACLs match fewer IP addresses than they should. This becomes particularly concerning when ACLs are used to deny access, as some IP addresses that should have been denied might slip through the security controls. The bug affects both IPv4 and IPv6 addresses equally (Varnish Announce).

The vulnerability was fixed in Varnish version 3.0.4. For older versions, a patch was provided that modifies the lib/libvcl/vcc_acl.c file to correct the ACL compilation logic. Users were advised to either upgrade to version 3.0.4 or apply the provided patch (Varnish Announce).