ID CVE-2020-11653
Summary An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss.
References
Vulnerable Configurations
  • cpe:2.3:a:varnish-cache:varnish_cache:6.0.2:*:*:*:lts:*:*:*
    cpe:2.3:a:varnish-cache:varnish_cache:6.0.2:*:*:*:lts:*:*:*
  • cpe:2.3:a:varnish-cache:varnish_cache:6.0.3:*:*:*:lts:*:*:*
    cpe:2.3:a:varnish-cache:varnish_cache:6.0.3:*:*:*:lts:*:*:*
  • cpe:2.3:a:varnish-cache:varnish_cache:6.0.4:*:*:*:lts:*:*:*
    cpe:2.3:a:varnish-cache:varnish_cache:6.0.4:*:*:*:lts:*:*:*
  • cpe:2.3:a:varnish-cache:varnish_cache:6.0.5:*:*:*:lts:*:*:*
    cpe:2.3:a:varnish-cache:varnish_cache:6.0.5:*:*:*:lts:*:*:*
  • cpe:2.3:a:varnish-cache:varnish_cache:*:*:*:*:-:*:*:*
    cpe:2.3:a:varnish-cache:varnish_cache:*:*:*:*:-:*:*:*
  • cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
    cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 22-04-2022 - 16:25)
Impact:
Exploitability:
CWE CWE-617
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
redhat via4
advisories
bugzilla
id 1813867
title CVE-2020-11653 varnish: remote clients may cause Varnish to assert and restart which could result in DoS
oval
OR
  • comment Red Hat Enterprise Linux must be installed
    oval oval:com.redhat.rhba:tst:20070304026
  • AND
    • comment Red Hat Enterprise Linux 8 is installed
      oval oval:com.redhat.rhba:tst:20193384074
    • comment Module varnish:6 is enabled
      oval oval:com.redhat.rhsa:tst:20204756011
    • OR
      • AND
        • comment varnish is earlier than 0:6.0.6-2.module+el8.3.0+6843+b3b42fcc
          oval oval:com.redhat.rhsa:tst:20204756001
        • comment varnish is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20204756002
      • AND
        • comment varnish-devel is earlier than 0:6.0.6-2.module+el8.3.0+6843+b3b42fcc
          oval oval:com.redhat.rhsa:tst:20204756003
        • comment varnish-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20204756004
      • AND
        • comment varnish-docs is earlier than 0:6.0.6-2.module+el8.3.0+6843+b3b42fcc
          oval oval:com.redhat.rhsa:tst:20204756005
        • comment varnish-docs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20204756006
      • AND
        • comment varnish-modules is earlier than 0:0.15.0-5.module+el8.3.0+6843+b3b42fcc
          oval oval:com.redhat.rhsa:tst:20204756007
        • comment varnish-modules is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20204756008
      • AND
        • comment varnish-modules-debugsource is earlier than 0:0.15.0-5.module+el8.3.0+6843+b3b42fcc
          oval oval:com.redhat.rhsa:tst:20204756009
        • comment varnish-modules-debugsource is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20204756010
rhsa
id RHSA-2020:4756
released 2020-11-04
severity Moderate
title RHSA-2020:4756: varnish:6 security, bug fix, and enhancement update (Moderate)
rpms
  • varnish-0:6.0.6-2.module+el8.3.0+6843+b3b42fcc
  • varnish-devel-0:6.0.6-2.module+el8.3.0+6843+b3b42fcc
  • varnish-docs-0:6.0.6-2.module+el8.3.0+6843+b3b42fcc
  • varnish-modules-0:0.15.0-5.module+el8.3.0+6843+b3b42fcc
  • varnish-modules-debuginfo-0:0.15.0-5.module+el8.3.0+6843+b3b42fcc
  • varnish-modules-debugsource-0:0.15.0-5.module+el8.3.0+6843+b3b42fcc
refmap via4
misc https://varnish-cache.org/security/VSV00005.html#vsv00005
suse
  • openSUSE-SU-2020:0808
  • openSUSE-SU-2020:0819
Last major update 22-04-2022 - 16:25
Published 08-04-2020 - 23:15
Last modified 22-04-2022 - 16:25
Back to Top