CVE-2019-20637

HIGH

Varnish Cache <6.0.5 LTS, 6.1.x, 6.2.x <6.2.2, 6.3.x <6.3.1 - Info ...

Title source: llm

Description

An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connection workspace, such as data structures associated with previous requests within this connection or VCL-related temporary headers.

References (3)

[Vendor Advisory] http://varnish-cache.org/security/VSV00004.html#vsv00004

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00031.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00026.html

Scores

CVSS v3 7.5

EPSS 0.0048

EPSS Percentile 65.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-212

Status published

Products (4)

opensuse/backports_sle 15.0 sp1

opensuse/leap 15.1

varnish-cache/varnish_cache 6.1.0 - 6.2.2

varnish-software/varnish_cache 6.0.0 - 6.0.5

Published Apr 08, 2020

Tracked Since Feb 18, 2026