CVE-2019-20637Improper Removal of Sensitive Information Before Storage or Transfer in Varnish Cache

CWE-212Improper Removal of Sensitive Information Before Storage or TransferCWE-200Sensitive Information Exposure9 documents8 sources
Severity
7.5HIGHNVD
EPSS
0.5%
top 35.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Varnish-cache VarnishVarnish-cache Varnish CacheVarnish-software Varnish Cache+2 more
Timeline
PublishedApr 8
Latest updateJun 8

Description

An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connection workspace, such as data structures associated with previous requests within this connection or VCL-related temporary headers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

NVDvarnish-cache/varnish_cache6.1.06.2.2+1
NVDvarnish-software/varnish_cache6.0.06.0.5
Debianvarnish-cache/varnish< 6.4.0-1+3
Ubuntuvarnish-cache/varnish< 5.2.1-1ubuntu0.1+2
NVDopensuse/leap15.1

🔴Vulnerability Details

4
OSV
varnish vulnerabilities2022-06-08
GHSA
GHSA-h2vv-cmjp-m2w5: An issue was discovered in Varnish Cache before 62022-05-24
CVEList
CVE-2019-20637: An issue was discovered in Varnish Cache before 62020-04-08
OSV
CVE-2019-20637: An issue was discovered in Varnish Cache before 62020-04-08

📋Vendor Advisories

3
Ubuntu
Varnish Cache vulnerabilities2022-06-08
Red Hat
varnish: not clearing pointer between two client requests leads to information disclosure2019-10-21
Debian
CVE-2019-20637: varnish - An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x befor...2019

💬Community

1
Bugzilla
CVE-2019-20637 varnish: not clearing pointer between two client requests leads to information disclosure2019-11-14
CVE-2019-20637 — Varnish Cache vulnerability | cvebase