{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to trigger an assert by sending crafted HTTP/1 requests. The assert will cause an automatic restart with a clean cache, which makes it a Denial of Service attack."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-10-06T02:06:04", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://varnish-cache.org/security/VSV00003.html"}, {"name": "20190904 [SECURITY] [DSA 4514-1] varnish security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Sep/5"}, {"name": "DSA-4514", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2019/dsa-4514"}, {"name": "openSUSE-SU-2019:2184", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00069.html"}, {"name": "FEDORA-2019-8a85a90af6", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLSF54TDJWJLINIFEW5V5BKDNY5EQRR3/"}, {"name": "openSUSE-SU-2019:2221", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00089.html"}, {"name": "FEDORA-2019-a0a0cdef92", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3OEOCYRU43TWEU2C65F3D6GK64MSWNNK/"}, {"name": "FEDORA-2019-feec5e0afd", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DBAQF6UDRSTURGINIMSMLJR4PTDYWA7C/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-15892", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to trigger an assert by sending crafted HTTP/1 requests. The assert will cause an automatic restart with a clean cache, which makes it a Denial of Service attack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://varnish-cache.org/security/VSV00003.html", "refsource": "MISC", "url": "https://varnish-cache.org/security/VSV00003.html"}, {"name": "20190904 [SECURITY] [DSA 4514-1] varnish security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Sep/5"}, {"name": "DSA-4514", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4514"}, {"name": "openSUSE-SU-2019:2184", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00069.html"}, {"name": "FEDORA-2019-8a85a90af6", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KLSF54TDJWJLINIFEW5V5BKDNY5EQRR3/"}, {"name": "openSUSE-SU-2019:2221", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00089.html"}, {"name": "FEDORA-2019-a0a0cdef92", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OEOCYRU43TWEU2C65F3D6GK64MSWNNK/"}, {"name": "FEDORA-2019-feec5e0afd", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DBAQF6UDRSTURGINIMSMLJR4PTDYWA7C/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:03:32.487Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://varnish-cache.org/security/VSV00003.html"}, {"name": "20190904 [SECURITY] [DSA 4514-1] varnish security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Sep/5"}, {"name": "DSA-4514", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2019/dsa-4514"}, {"name": "openSUSE-SU-2019:2184", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00069.html"}, {"name": "FEDORA-2019-8a85a90af6", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLSF54TDJWJLINIFEW5V5BKDNY5EQRR3/"}, {"name": "openSUSE-SU-2019:2221", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00089.html"}, {"name": "FEDORA-2019-a0a0cdef92", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3OEOCYRU43TWEU2C65F3D6GK64MSWNNK/"}, {"name": "FEDORA-2019-feec5e0afd", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DBAQF6UDRSTURGINIMSMLJR4PTDYWA7C/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-15892", "datePublished": "2019-09-03T20:56:18", "dateReserved": "2019-09-03T00:00:00", "dateUpdated": "2024-08-05T01:03:32.487Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:lts:*:*:*", "matchCriteriaId": "028D4B5E-AE00-42E7-9F4B-EF541782E535", "versionEndExcluding": "6.0.4", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:varnish_cache_project:varnish_cache:*:*:*:*:*:*:*:*", "matchCriteriaId": "AAE58CF8-0906-44E3-8F1C-E38F0D4BA840", "versionEndIncluding": "6.1.1", "versionStartIncluding": "6.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:varnish_cache_project:varnish_cache:*:*:*:*:*:*:*:*", "matchCriteriaId": "341D13E1-1907-4D8F-ACEE-747DFC28201E", "versionEndExcluding": "6.2.1", "versionStartIncluding": "6.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to trigger an assert by sending crafted HTTP/1 requests. The assert will cause an automatic restart with a clean cache, which makes it a Denial of Service attack."}, {"lang": "es", "value": "Se detecto un problema en Varnish Cache en versiones anteriores a la 6.0.4 LTS y 6.1.x y 6.2.x en versiones anteriores a la 6.2.1. Un error de an\u00e1lisis HTTP/1 permite a un atacante remoto desencadenar una aserci\u00f3n mediante el env\u00edo de solicitudes HTTP/1 dise\u00f1adas. La aserci\u00f3n provocar\u00e1 un reinicio autom\u00e1tico con una memoria cach\u00e9 limpia, lo que la convierte en un ataque de Denegaci\u00f3n de Servicio."}], "id": "CVE-2019-15892", "lastModified": "2023-11-07T03:05:35.627", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-03T21:15:10.953", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00069.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00089.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3OEOCYRU43TWEU2C65F3D6GK64MSWNNK/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DBAQF6UDRSTURGINIMSMLJR4PTDYWA7C/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLSF54TDJWJLINIFEW5V5BKDNY5EQRR3/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2019/Sep/5"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://varnish-cache.org/security/VSV00003.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2019/dsa-4514"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:4756", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "varnish:6-8030020200530080205.30b713e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-11-04T00:00:00Z"}, {"advisory": "RHEA-2020:2262", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-varnish6-0:4.1-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-05-26T00:00:00Z"}, {"advisory": "RHEA-2020:2262", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-varnish6-varnish-0:6.0.6-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-05-26T00:00:00Z"}, {"advisory": "RHEA-2020:2262", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-varnish6-varnish-modules-0:0.15.0-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-05-26T00:00:00Z"}, {"advisory": "RHEA-2020:2262", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-varnish6-0:4.1-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-05-26T00:00:00Z"}, {"advisory": "RHEA-2020:2262", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-varnish6-varnish-0:6.0.6-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-05-26T00:00:00Z"}, {"advisory": "RHEA-2020:2262", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-varnish6-varnish-modules-0:0.15.0-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-05-26T00:00:00Z"}, {"advisory": "RHEA-2020:2262", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-varnish6-0:4.1-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-05-26T00:00:00Z"}, {"advisory": "RHEA-2020:2262", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-varnish6-varnish-0:6.0.6-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-05-26T00:00:00Z"}, {"advisory": "RHEA-2020:2262", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-varnish6-varnish-modules-0:0.15.0-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-05-26T00:00:00Z"}], "bugzilla": {"description": "varnish: denial of service handling certain crafted HTTP/1 requests", "id": "1756079", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1756079"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to trigger an assert by sending crafted HTTP/1 requests. The assert will cause an automatic restart with a clean cache, which makes it a Denial of Service attack.", "A flaw was found in the way Varnish parsed certain HTTP/1 requests. A remote attacker could use this flaw to crash Varnish by sending specially crafted multiple HTTP/1 requests processed on the same HTTP/1 keep-alive connection. This causes Varnish to restart with a clean cache, causing a denial of service."], "mitigation": {"lang": "en:us", "value": "This flaw can be mitigated by using making changes in varnish configuration by using VCL (Varnish Configuration Language). More details available at: https://varnish-cache.org/security/VSV00003-mitigation.html#vsv00003-mitigation"}, "name": "CVE-2019-15892", "package_state": [{"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-varnish5-varnish", "product_name": "Red Hat Software Collections"}], "public_date": "2019-09-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-15892\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-15892\nhttps://varnish-cache.org/security/VSV00003.html"], "statement": "This is a remote denial of service flaw in varnish cache application. It causes varnish to restart, with a clean cache, since the purpose of varnish is to cache web pages thereby improving overall web server performance, an attacker can cause web performance to degrade due to this attack.", "threat_severity": "Moderate", "upstream_fix": "varnish 6.0.4, varnish 6.2.1"}