Vulnerability Details CVE-2023-41104
libvmod-digest before 1.0.3, as used in Varnish Enterprise 6.0.x before 6.0.11r5, has an out-of-bounds memory access during base64 decoding, leading to both authentication bypass and information disclosure; however, the exact attack surface will depend on the particular VCL (Varnish Configuration Language) configuration in use.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 40.2%
CVSS Severity
CVSS v3 Score 6.5
References
- https://docs.varnish-software.com/security/VSV00012/
- https://github.com/varnish/libvmod-digest/releases/tag/libvmod-digest-1.0.3
- https://www.varnish-cache.org/security/VSV00012.html
- https://docs.varnish-software.com/security/VSV00012/
- https://github.com/varnish/libvmod-digest/releases/tag/libvmod-digest-1.0.3
- https://www.varnish-cache.org/security/VSV00012.html
Products affected by CVE-2023-41104
-
cpe:2.3:a:varnish-software:varnish_enterprise:*
-
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11
-
cpe:2.3:a:varnish-software:vmod_digest:0.1
-
cpe:2.3:a:varnish-software:vmod_digest:0.2
-
cpe:2.3:a:varnish-software:vmod_digest:0.3
-
cpe:2.3:a:varnish-software:vmod_digest:0.4
-
cpe:2.3:a:varnish-software:vmod_digest:1.0.0
-
cpe:2.3:a:varnish-software:vmod_digest:1.0.1
-
cpe:2.3:a:varnish-software:vmod_digest:1.0.2