VDB
CVE-2017-12425
CVE-2017-12425
PUBLISHED
An issue was discovered in Varnish HTTP Cache 4.0.1 through 4.0.4, 4.1.0 through 4.1.7, 5.0.0, and 5.1.0 through 5.1.2. A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert, related to an Integer Overflow. This causes the varnishd worker process to abort and restart, losing the cached contents in the process. An attacker can therefore crash the varnishd worker process on demand and effectively keep it from serving content - a Denial-of-Service attack. The specific source-code filename containing the incorrect statement varies across releases.
EPSS 1.42% · 80.9th percentile
Risk Scores
EPSS Score
1.42%
80.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | varnish | 0, 4.0.3-1, 4.1.0-2 |
Timeline
- Aug 4, 2017 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 27, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 2, 2022 EPSS Score
- Nov 5, 2022 EPSS Score
- Jan 7, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2017-12425 third-party-advisory
- https://www.varnish-cache.org/security/VSV00001.html#vsv00001 third-party-advisory
- https://github.com/varnishcache/varnish-cache/issues/2379 third-party-advisory
- https://lists.debian.org/debian-security-announce/2017/msg00186.html third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2017-12425 third-party-advisory