V
Scaner-VS
HomeCatalogSourcesCWECAPECATT&CKMitigationsProductsVendorsDocs
CVE-2017-12425
DEB
Medium

An issue was discovered in Varnish HTTP Cache 4.0.1 through 4.0.4, 4.1.0 through 4.1.7, 5.0.0, and 5.1.0 through 5.1.2. A wrong if statemen…

CVSS
5.3
Medium
EPSS
0.02
p81
Published
2017-01-01
Updated
2017-01-01
Description

An issue was discovered in Varnish HTTP Cache 4.0.1 through 4.0.4, 4.1.0 through 4.1.7, 5.0.0, and 5.1.0 through 5.1.2. A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert, related to an Integer Overflow. This causes the varnishd worker process to abort and restart, losing the cached contents in the process. An attacker can therefore crash the varnishd worker process on demand and effectively keep it from serving content - a Denial-of-Service attack. The specific source-code filename containing the incorrect statement varies across releases.

Tags · CWE
Pre-auth
CWE-190
CAPEC-92
Affected products
VarnishVarnish_cache
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Timeline
2017-01-01
Published
2017-01-01
Updated
CVSS 3.1 breakdown
Attack Vector
AV: N
Network (N)
Attack Complexity
AC: L
Low (L)
Privileges Required
PR: N
None (N)
User Interaction
UI: N
None (N)
Scope
S: U
Unchanged (U)
Confidentiality Impact
C: N
None (N)
Integrity Impact
I: N
None (N)
Availability Impact
A: L
Low (L)
Exploit indicators
EPSS
0.024 · p81
Known exploited (KEV)
No
Known exploits — Сканер-ВС
No Сканер-ВС checks registered for this vulnerability yet.
Affected products
ProductVendorStatus
varnishTracked
varnishTracked
varnishTracked
varnishTracked
varnishTracked
varnish*Tracked
varnish*Tracked
varnish_cache*Tracked
varnish_cache*Tracked
varnish_cache*Tracked
Source databases
DEB
CVE
UBU