CVE-2017-12425
Severity Score
7.5
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
An issue was discovered in Varnish HTTP Cache 4.0.1 through 4.0.4, 4.1.0 through 4.1.7, 5.0.0, and 5.1.0 through 5.1.2. A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert, related to an Integer Overflow. This causes the varnishd worker process to abort and restart, losing the cached contents in the process. An attacker can therefore crash the varnishd worker process on demand and effectively keep it from serving content - a Denial-of-Service attack. The specific source-code filename containing the incorrect statement varies across releases.
Se ha descubierto un problema en Varnish HTTP Cache 4.0.1 a 4.0.4; 4.1.0 a 4.1.7; 5.0.0; y 5.1.0 a 5.1.2. Una instrucción if incorrecta en el código fuente de varnishd significa que ciertas peticiones no válidas formuladas por el cliente pueden desembocar en una aserción, relacionada con un desbordamiento de enteros. Esto provoca que el proceso de trabajo varnishd se anule y se reinicie, perdiendo todos los contenidos de la caché en el proceso. Por lo tanto, un atacante puede bloquear el proceso de trabajo varnishd cuando quiera y evitar de forma efectiva que envíen contenidos (ataque por Denegación de Servicio). El nombre de archivo de código fuente específico que contiene la instrucción errónea varía según las versiones.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2017-08-04 CVE Reserved
- 2017-08-04 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-190: Integer Overflow or Wraparound
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1477222 | Issue Tracking | |
| https://bugzilla.suse.com/show_bug.cgi?id=1051917 | Issue Tracking | |
| https://github.com/varnishcache/varnish-cache/issues/2379 | Third Party Advisory | |
| https://lists.debian.org/debian-security-announce/2017/msg00186.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.debian.org/security/2017/dsa-3924 | 2022-08-02 | |
| https://www.varnish-cache.org/security/VSV00001.html#vsv00001 | 2022-08-02 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Varnish-cache Search vendor "Varnish-cache" | Varnish Search vendor "Varnish-cache" for product "Varnish" | 4.0.2 Search vendor "Varnish-cache" for product "Varnish" and version "4.0.2" | rc-1 |
Affected
| ||||||
| Varnish-cache Search vendor "Varnish-cache" | Varnish Search vendor "Varnish-cache" for product "Varnish" | 4.0.3 Search vendor "Varnish-cache" for product "Varnish" and version "4.0.3" | rc-1 |
Affected
| ||||||
| Varnish-cache Search vendor "Varnish-cache" | Varnish Search vendor "Varnish-cache" for product "Varnish" | 4.0.3 Search vendor "Varnish-cache" for product "Varnish" and version "4.0.3" | rc-2 |
Affected
| ||||||
| Varnish-cache Search vendor "Varnish-cache" | Varnish Search vendor "Varnish-cache" for product "Varnish" | 4.0.3 Search vendor "Varnish-cache" for product "Varnish" and version "4.0.3" | rc-2-proper |
Affected
| ||||||
| Varnish-cache Search vendor "Varnish-cache" | Varnish Search vendor "Varnish-cache" for product "Varnish" | 4.0.3 Search vendor "Varnish-cache" for product "Varnish" and version "4.0.3" | rc-3 |
Affected
| ||||||
| Varnish Cache Project Search vendor "Varnish Cache Project" | Varnish Cache Search vendor "Varnish Cache Project" for product "Varnish Cache" | 4.0.1 Search vendor "Varnish Cache Project" for product "Varnish Cache" and version "4.0.1" | - |
Affected
| ||||||
| Varnish Cache Project Search vendor "Varnish Cache Project" | Varnish Cache Search vendor "Varnish Cache Project" for product "Varnish Cache" | 4.0.2 Search vendor "Varnish Cache Project" for product "Varnish Cache" and version "4.0.2" | - |
Affected
| ||||||
| Varnish Cache Project Search vendor "Varnish Cache Project" | Varnish Cache Search vendor "Varnish Cache Project" for product "Varnish Cache" | 4.0.3 Search vendor "Varnish Cache Project" for product "Varnish Cache" and version "4.0.3" | - |
Affected
| ||||||
| Varnish Cache Project Search vendor "Varnish Cache Project" | Varnish Cache Search vendor "Varnish Cache Project" for product "Varnish Cache" | 4.0.4 Search vendor "Varnish Cache Project" for product "Varnish Cache" and version "4.0.4" | - |
Affected
| ||||||
| Varnish-cache Search vendor "Varnish-cache" | Varnish Search vendor "Varnish-cache" for product "Varnish" | 4.1.0 Search vendor "Varnish-cache" for product "Varnish" and version "4.1.0" | - |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.0 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.0" | beta1 |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.0 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.0" | technology_preview1 |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.1 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.1" | - |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.1 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.1" | beta1 |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.1 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.1" | beta2 |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.2 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.2" | - |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.2 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.2" | beta1 |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.2 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.2" | beta2 |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.3 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.3" | - |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.3 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.3" | beta1 |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.3 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.3" | beta2 |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.4 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.4" | - |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.4 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.4" | beta1 |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.4 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.4" | beta2 |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.4 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.4" | beta3 |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.5 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.5" | - |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.5 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.5" | beta1 |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.5 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.5" | beta2 |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.6 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.6" | - |
Affected
| ||||||
| Varnish-software Search vendor "Varnish-software" | Varnish Cache Search vendor "Varnish-software" for product "Varnish Cache" | 4.1.7 Search vendor "Varnish-software" for product "Varnish Cache" and version "4.1.7" | - |
Affected
| ||||||
| Varnish Cache Project Search vendor "Varnish Cache Project" | Varnish Cache Search vendor "Varnish Cache Project" for product "Varnish Cache" | 5.0.0 Search vendor "Varnish Cache Project" for product "Varnish Cache" and version "5.0.0" | - |
Affected
| ||||||
| Varnish Cache Project Search vendor "Varnish Cache Project" | Varnish Cache Search vendor "Varnish Cache Project" for product "Varnish Cache" | 5.1.0 Search vendor "Varnish Cache Project" for product "Varnish Cache" and version "5.1.0" | - |
Affected
| ||||||
| Varnish Cache Project Search vendor "Varnish Cache Project" | Varnish Cache Search vendor "Varnish Cache Project" for product "Varnish Cache" | 5.1.1 Search vendor "Varnish Cache Project" for product "Varnish Cache" and version "5.1.1" | - |
Affected
| ||||||
| Varnish Cache Project Search vendor "Varnish Cache Project" | Varnish Cache Search vendor "Varnish Cache Project" for product "Varnish Cache" | 5.1.2 Search vendor "Varnish Cache Project" for product "Varnish Cache" and version "5.1.2" | - |
Affected
| ||||||