CVE-2020-11653

An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
VendorProductVersion
varnish-cachevarnish_cache
6.1.0 ≤
𝑥
< 6.2.3
varnish-cachevarnish_cache
6.3.0 ≤
𝑥
< 6.3.2
varnish-softwarevarnish_cache
6.0.0 ≤
𝑥
< 6.0.6
opensusebackports_sle
15.0:sp1
opensuseleap
15.1
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
varnish
bullseye (security)
6.5.1-1+deb11u3
fixed
bullseye
6.5.1-1+deb11u3
fixed
stretch
not-affected
jessie
not-affected
bookworm
7.1.1-1.1
fixed
sid
7.6.0-2
fixed
trixie
7.6.0-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
varnish
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
Fixed 6.2.1-2ubuntu0.1
released
eoan
ignored
bionic
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00026.html
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00031.html
https://lists.debian.org/debian-lts-announce/2022/11/msg00036.html
https://varnish-cache.org/security/VSV00005.html#vsv00005
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00026.html
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00031.html
https://lists.debian.org/debian-lts-announce/2022/11/msg00036.html
https://varnish-cache.org/security/VSV00005.html#vsv00005