CVE-2019-20637

An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connection workspace, such as data structures associated with previous requests within this connection or VCL-related temporary headers.

Published: Apr 9, 2020
Updated: Apr 13, 2023
CVE: CVE-2019-20637
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-212

Affected Software
References

Software	From	Fixed in
varnish-cache / varnish_cache	6.1.0	6.2.2
varnish-cache / varnish_cache	6.3.0	6.3.1
varnish-software / varnish_cache	6.0.0	6.0.5
opensuse / leap	15.1	15.1.x
opensuse / backports_sle	15.0-sp1	15.0-sp1.x

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00026.html
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00031.html
http://varnish-cache.org/security/VSV00004.html#vsv00004

Vulnerability Database

289,598

CVE-2019-20637