Vulnerability Description
Varnish varnish-modules before 0.17.1 allows remote attackers to cause a denial of service (daemon restart) in some configurations. This does not affect organizations that only install the Varnish Cache product; however, it is common to install both Varnish Cache and varnish-modules. Specifically, an assertion failure or NULL pointer dereference can be triggered in Varnish Cache through the varnish-modules header.append() and header.copy() functions. For some Varnish Configuration Language (VCL) files, this gives remote clients an opportunity to cause a Varnish Cache restart. A restart reduces overall availability and performance due to an increased number of cache misses, and may cause higher load on backend servers.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Varnish-Cache | Varnish-Modules | < 0.17.1 |
| Varnish-Cache | Varnish-Modules Klarlack | < 0.17.1 |
| Fedoraproject | Fedora | 34 |
Related Weaknesses (CWE)
References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://varnish-cache.org/security/VSV00006.htmlVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://varnish-cache.org/security/VSV00006.htmlVendor Advisory
FAQ
What is CVE-2021-28543?
CVE-2021-28543 is a vulnerability with a CVSS score of 4.0 (MEDIUM). Varnish varnish-modules before 0.17.1 allows remote attackers to cause a denial of service (daemon restart) in some configurations. This does not affect organizations that only install the Varnish Cac...
How severe is CVE-2021-28543?
CVE-2021-28543 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-28543?
Check the references section above for vendor advisories and patch information. Affected products include: Varnish-Cache Varnish-Modules, Varnish-Cache Varnish-Modules Klarlack, Fedoraproject Fedora.