CVE-2017-12425

DEB

Medium

An issue was discovered in Varnish HTTP Cache 4.0.1 through 4.0.4, 4.1.0 through 4.1.7, 5.0.0, and 5.1.0 through 5.1.2. A wrong if statemen…

CVSS

5.3

Medium

EPSS

0.02

p81

Published

2017-01-01

Updated

2017-01-01

Description

An issue was discovered in Varnish HTTP Cache 4.0.1 through 4.0.4, 4.1.0 through 4.1.7, 5.0.0, and 5.1.0 through 5.1.2. A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert, related to an Integer Overflow. This causes the varnishd worker process to abort and restart, losing the cached contents in the process. An attacker can therefore crash the varnishd worker process on demand and effectively keep it from serving content - a Denial-of-Service attack. The specific source-code filename containing the incorrect statement varies across releases.

Tags · CWE

Pre-auth

CWE-190

CAPEC-92

Affected products

VarnishVarnish_cache

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Timeline

2017-01-01

Published

2017-01-01

Updated

CVSS 3.1 breakdown

Attack Vector

AV: N

Network (N)

Attack Complexity

AC: L

Low (L)

Privileges Required

PR: N

None (N)

User Interaction

UI: N

None (N)

Scope

S: U

Unchanged (U)

Confidentiality Impact

C: N

None (N)

Integrity Impact

I: N

None (N)

Availability Impact

A: L

Low (L)

Exploit indicators

EPSS

0.024 · p81

Known exploited (KEV)

Known exploits — Сканер-ВС

No Сканер-ВС checks registered for this vulnerability yet.

Affected products

Varnish_cache_project

Varnish Cache

Varnish-cache

Varnish

Product	Vendor	Status
varnish		Tracked
varnish		Tracked
varnish		Tracked
varnish		Tracked
varnish		Tracked
varnish	*	Tracked
varnish	*	Tracked
varnish_cache	*	Tracked
varnish_cache	*	Tracked
varnish_cache	*	Tracked

Source databases

DEB

CVE

UBU