Input validation error in Varnish Cache and Varnish Enterprise - #VU79811

 

Input validation error in Varnish Cache and Varnish Enterprise - #VU79811

Published: August 22, 2023


Vulnerability identifier: #VU79811
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Varnish Software
Affected software:
Varnish Cache
Varnish Enterprise

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication process or gain access to sensitive information.

The vulnerability exists due to insufficient validation of base64-encoded data in vmod-digest module. A remote attacker can send specially crafted data to the server and bypass HTTP Basic authentication or gain access to sensitive information from reading out of band workspace data.


Remediation

Install updates from vendor's website.

Sources