CVE-2019-15892

Name
CVE-2019-15892
Description
An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to trigger an assert by sending crafted HTTP/1 requests. The assert will cause an automatic restart with a clean cache, which makes it a Denial of Service attack.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Vendor Advisory https://varnish-cache.org/security/VSV00003.html
Mailing List https://seclists.org/bugtraq/2019/Sep/5
Third Party Advisory https://www.debian.org/security/2019/dsa-4514
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00069.html
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KLSF54TDJWJLINIFEW5V5BKDNY5EQRR3/
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00089.html
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OEOCYRU43TWEU2C65F3D6GK64MSWNNK/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DBAQF6UDRSTURGINIMSMLJR4PTDYWA7C/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:varnish-cache:varnish:*:*:*:*:lts:*:*:* varnish >= 6.0.0 < 6.0.4
cpe:2.3:a:varnish-cache:varnish:*:*:*:*:*:*:*:* varnish >= 6.2.0 < 6.2.1
cpe:2.3:a:varnish-cache:varnish:*:*:*:*:*:*:*:* varnish >= 6.1.0 <= 6.1.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
varnish 3.10-main 6.2.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed