Vulnerability Details CVE-2019-20637
An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connection workspace, such as data structures associated with previous requests within this connection or VCL-related temporary headers.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 64.1%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00031.html
- http://varnish-cache.org/security/VSV00004.html#vsv00004
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00031.html
- http://varnish-cache.org/security/VSV00004.html#vsv00004
Products affected by CVE-2019-20637
-
cpe:2.3:a:opensuse:backports_sle:15.0
-
cpe:2.3:a:varnish-cache:varnish_cache:*
-
cpe:2.3:a:varnish-software:varnish_cache:6.0.0
-
cpe:2.3:a:varnish-software:varnish_cache:6.0.1
-
cpe:2.3:a:varnish-software:varnish_cache:6.0.2
-
cpe:2.3:a:varnish-software:varnish_cache:6.0.3
-
cpe:2.3:a:varnish-software:varnish_cache:6.0.4
-
cpe:2.3:o:opensuse:leap:15.1