CVE-2019-15892

Publication date 3 September 2019

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to trigger an assert by sending crafted HTTP/1 requests. The assert will cause an automatic restart with a clean cache, which makes it a Denial of Service attack.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
varnish	20.04 LTS focal	Not affected
	19.10 eoan	Ignored end of life
	19.04 disco	Ignored end of life
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not affected

How can I get the fixes?
What do statuses mean?

Severity score breakdown

Parameter	Value
Base score	7.5 · High
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

MITRE
NVD
Launchpad
Debian

Other references

https://varnish-cache.org/security/VSV00003.html
https://github.com/varnishcache/varnish-cache/commit/1cb778f6f69737109e8c070a74b8e95b78f46d13
https://github.com/varnishcache/varnish-cache/commit/0f0e51e9871ed1bd1236378f8b0dea0d33df4e9e
https://github.com/varnishcache/varnish-cache/commit/72df38fa8bfc0f5ca4a75d3e32657e8e590d85ab
https://github.com/varnishcache/varnish-cache/commit/dd47e658a0de9d12c433a4a01fb43ea4fe4d3a41
https://github.com/varnishcache/varnish-cache/commit/34717183beda3803e3d54c9826a1a9f026ca2505
https://github.com/varnishcache/varnish-cache/commit/ec3997a59a93cbc13a3cba22dfe0b4c4710a8f65
https://github.com/varnishcache/varnish-cache/commit/af13de03eaa3d04f60ada52ed3235d545b8d3973
https://github.com/varnishcache/varnish-cache/commit/6da64a47beff44ecdb45c82b033811f2d19819af
https://seclists.org/bugtraq/2019/Sep/5
https://www.debian.org/security/2019/dsa-4514
https://www.cve.org/CVERecord?id=CVE-2019-15892