CVE-2023-27238

Vulnerability

Overview

CVE-2023-27238 identifies a web cache poisoning vulnerability in LavaLite CMS version 9.0.0. The root cause lies in how the application handles HTTP request headers or generates cache keys, potentially allowing an attacker to inject malicious content into the web cache. By manipulating specific request parameters, an attacker can cause the cache to store and serve a crafted response to subsequent users, effectively poisoning the cache [1].

Exploitation

Requirements

Exploitation requires network proximity to the caching layer (e.g., a reverse proxy or CDN) and the ability to send crafted HTTP requests to the application. No authentication is needed; the attack can be performed by an unauthenticated remote attacker. The vulnerability is triggered by sending a request with manipulated headers (such as X-Forwarded-Host or other unkeyed inputs) that influence the response stored by the cache. The specific attack vector is detailed in the security advisory provided by the researcher [3].

Impact

A successful web cache poisoning attack can cause users visiting the site to receive attacker-controlled content, such as malicious scripts or phishing pages, without directly compromising the server. This can lead to widespread client-side attacks, data theft, or defacement, as the poisoned cache persists until it is purged or expires. The impact is amplified because cached responses are served to all users who request the poisoned URL during the cache lifetime [2].

Mitigation

Status

No official patch has been released by the LavaLite maintainers as of the publication date. However, the advisory from M19O recommends configurations to mitigate the risk, including validating and sanitizing HTTP headers used for cache key generation and ensuring that the cache only keys on safe, expected inputs. Users are advised to review their caching infrastructure and apply workarounds until a fix is provided [3][4].