Vulnerability CVE-2019-15892


Published: 2019-09-03

Description:
An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to trigger an assert by sending crafted HTTP/1 requests. The assert will cause an automatic restart with a clean cache, which makes it a Denial of Service attack.

Type:

CWE-20

(Improper Input Validation)

Vendor: Varnish-cache
Product: Varnish 
Version:
6.2.0
6.1.1
6.1.0
6.0.3
6.0.2
6.0.0
Vendor: Debian
Product: Debian linux 
Version: 10;

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.8/10
6.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Complete

 References:
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00069.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00089.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KLSF54TDJWJLINIFEW5V5BKDNY5EQRR3/
https://seclists.org/bugtraq/2019/Sep/5
https://varnish-cache.org/security/VSV00003.html
https://www.debian.org/security/2019/dsa-4514

Related CVE
CVE-2019-17358
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti ...
CVE-2013-4245
Orca has arbitrary code execution due to insecure Python module load
CVE-2019-19604
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a ma...
CVE-2019-19630
HTMLDOC 1.9.7 allows a stack-based buffer overflow in the hd_strlcpy() function in string.c (when called from render_contents in ps-pdf.cxx) via a crafted HTML document.
CVE-2012-1114
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.
CVE-2013-0326
OpenStack nova base images permissions are world readable
CVE-2013-2745
An SQL Injection vulnerability exists in MiniDLNA prior to 1.1.0

Copyright 2019, cxsecurity.com

 

Back to Top