Vulnerability Description
libvmod-digest before 1.0.3, as used in Varnish Enterprise 6.0.x before 6.0.11r5, has an out-of-bounds memory access during base64 decoding, leading to both authentication bypass and information disclosure; however, the exact attack surface will depend on the particular VCL (Varnish Configuration Language) configuration in use.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Varnish-Software | Varnish Enterprise | >= 6.0.0, < 6.0.11 |
| Varnish-Software | Vmod Digest | < 1.0.3 |
Related Weaknesses (CWE)
References
- https://docs.varnish-software.com/security/VSV00012/MitigationVendor Advisory
- https://github.com/varnish/libvmod-digest/releases/tag/libvmod-digest-1.0.3Release Notes
- https://www.varnish-cache.org/security/VSV00012.htmlPatchVendor Advisory
- https://docs.varnish-software.com/security/VSV00012/MitigationVendor Advisory
- https://github.com/varnish/libvmod-digest/releases/tag/libvmod-digest-1.0.3Release Notes
- https://www.varnish-cache.org/security/VSV00012.htmlPatchVendor Advisory
FAQ
What is CVE-2023-41104?
CVE-2023-41104 is a vulnerability with a CVSS score of 6.5 (MEDIUM). libvmod-digest before 1.0.3, as used in Varnish Enterprise 6.0.x before 6.0.11r5, has an out-of-bounds memory access during base64 decoding, leading to both authentication bypass and information discl...
How severe is CVE-2023-41104?
CVE-2023-41104 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-41104?
Check the references section above for vendor advisories and patch information. Affected products include: Varnish-Software Varnish Enterprise, Varnish-Software Vmod Digest.