Lucene search

GoogleOSV:CVE-2023-41104

HistoryAug 23, 2023 - 7:15 a.m.

CVE-2023-41104

2023-08-2307:15:08

Google

osv.dev

cve-2023-41104

varnish enterprise

authentication bypass

information disclosure

vcl configuration

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

7.2

Confidence

Low

EPSS

0.002

Percentile

54.8%

JSON

libvmod-digest before 1.0.3, as used in Varnish Enterprise 6.0.x before 6.0.11r5, has an out-of-bounds memory access during base64 decoding, leading to both authentication bypass and information disclosure; however, the exact attack surface will depend on the particular VCL (Varnish Configuration Language) configuration in use.

References

docs.varnish-software.com/security/VSV00012/

github.com/varnish/libvmod-digest/releases/tag/libvmod-digest-1.0.3

www.varnish-cache.org/security/VSV00012.html

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

7.2

Confidence

Low

EPSS

0.002

Percentile

54.8%

JSON

Related for OSV:CVE-2023-41104