Vulnerability Description
An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connection workspace, such as data structures associated with previous requests within this connection or VCL-related temporary headers.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Varnish-Cache | Varnish Cache | >= 6.1.0, < 6.2.2 |
| Varnish-Software | Varnish Cache | >= 6.0.0, < 6.0.5 |
| Opensuse | Backports Sle | 15.0 |
| Opensuse | Leap | 15.1 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00026.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00031.htmlMailing ListThird Party Advisory
- http://varnish-cache.org/security/VSV00004.html#vsv00004Vendor Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00026.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00031.htmlMailing ListThird Party Advisory
- http://varnish-cache.org/security/VSV00004.html#vsv00004Vendor Advisory
FAQ
What is CVE-2019-20637?
CVE-2019-20637 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next req...
How severe is CVE-2019-20637?
CVE-2019-20637 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-20637?
Check the references section above for vendor advisories and patch information. Affected products include: Varnish-Cache Varnish Cache, Varnish-Software Varnish Cache, Opensuse Backports Sle, Opensuse Leap.