Vulnerability Name:

CVE-2020-11653 (CCN-180527)

Assigned:2020-02-04
Published:2020-02-04
Updated:2022-11-29
Summary:An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-400
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2020-11653

Source: cve@mitre.org
Type: Mailing List, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Mailing List, Third Party Advisory
cve@mitre.org

Source: XF
Type: UNKNOWN
varnishcache-cve202011653-dos(180527)

Source: cve@mitre.org
Type: Mailing List, Third Party Advisory
cve@mitre.org

Source: CCN
Type: Varnish Security Advisory VSV00005
Varnish HTTP Proxy Protocol V2 Denial of Service

Source: cve@mitre.org
Type: Vendor Advisory
cve@mitre.org

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
  • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:varnish-cache:varnish_cache:6.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:varnish-cache:varnish_cache:6.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:varnish-cache:varnish_cache:6.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:varnish-cache:varnish_cache:6.0.5:*:*:*:lts:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:93618
    P
    (Important)
    2022-07-06
    oval:org.opensuse.security:def:202011653
    V
    CVE-2020-11653
    2021-10-24
    oval:org.opensuse.security:def:64580
    P
    Security update for gd (Moderate)
    2021-09-27
    oval:org.opensuse.security:def:100331
    P
    (Important)
    2021-09-23
    oval:org.opensuse.security:def:64740
    P
    Security update for rpm (Important)
    2021-08-12
    oval:org.opensuse.security:def:63428
    P
    libexif12-32bit-0.6.21-5.3.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:64682
    P
    Security update for avahi (Moderate)
    2021-05-04
    oval:org.opensuse.security:def:64473
    P
    Security update for the Linux Kernel (Important)
    2021-04-16
    oval:org.opensuse.security:def:64472
    P
    Security update for clamav (Important)
    2021-04-14
    oval:org.opensuse.security:def:62957
    P
    jcl-over-slf4j-1.7.30-1.34 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63631
    P
    libpoppler73-0.62.0-2.33 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62925
    P
    rpm-build-4.14.1-10.16.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62929
    P
    zlib-devel-32bit-1.2.11-3.6.4 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63135
    P
    clamsap-0.99.25-2.37 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62932
    P
    apache-commons-compress-1.19-1.63 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:74794
    P
    Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64336
    P
    libjasper4 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:74927
    P
    Security update for varnish (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:63778
    P
    Security update for java-1_8_0-ibm (Important)
    2020-12-01
    oval:org.opensuse.security:def:64852
    P
    Security update for postgresql10 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64007
    P
    Security update for libpng16 (Moderate)
    2020-12-01
    oval:com.redhat.rhsa:def:20204756
    P
    RHSA-2020:4756: varnish:6 security, bug fix, and enhancement update (Moderate)
    2020-11-04
    oval:org.opensuse.security:def:110589
    P
    Security update for varnish (Moderate)
    2020-06-13
    BACK
    varnish-cache varnish cache 6.0.0
    varnish-cache varnish cache 6.2.2
    varnish-cache varnish cache 6.3.1
    varnish-cache varnish cache 6.0.5