N/A

Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial of service (daemon panic) after timeout_linger. A malicious client could send an HTTP/1 request, wait long enough until the session releases its worker thread (timeout_linger) and resume traffic before the session is closed (timeout_idle) sending more than one request at once to trigger a pipelining operation between requests. This vulnerability affecting Varnish Cache 9.0.0 emerged from a port of the Varnish Enterprise non-blocking architecture for HTTP/2. New code was needed to adapt to a more recent workspace API that formalizes the pipelining operation. In addition to the workspace change on the Varnish Cache side, other differences created merge conflicts, like partial support for trailers in Varnish Enterprise. The conflict resolution missed one code path configuring pipelining to perform a complete workspace rollback, losing the guarantee that prefetched data would fit inside workspace_client during the transition from one request to the next. This can result in a workspace overflow, triggering a panic and crashing the Varnish server.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L

控制流实现总是不正确

Varnish Cache 安全漏洞

Varnish Cache是Varnish公司的一套反向网站缓存服务器。 Varnish Cache 9.0.1之前版本存在安全漏洞，该漏洞源于timeout_linger后，恶意客户端可能发送HTTP/1请求并等待足够长时间，然后在会话关闭前恢复流量并同时发送多个请求以触发请求间的流水线操作，可能导致工作空间溢出拒绝服务。

N/A

N/A