CVE-2023-41104: Buffer Overflow
First published: Wed Aug 23 2023(Updated: )
libvmod-digest before 1.0.3, as used in Varnish Enterprise 6.0.x before 6.0.11r5, has an out-of-bounds memory access during base64 decoding, leading to both authentication bypass and information disclosure; however, the exact attack surface will depend on the particular VCL (Varnish Configuration Language) configuration in use.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Varnish-software Varnish Enterprise | >=6.0.0<6.0.11 | |
| Varnish-software Varnish Enterprise | =6.0.11 | |
| Varnish-software Varnish Enterprise | =6.0.11-r1 | |
| Varnish-software Varnish Enterprise | =6.0.11-r2 | |
| Varnish-software Varnish Enterprise | =6.0.11-r3 | |
| Varnish-software Varnish Enterprise | =6.0.11-r4 | |
| Varnish-software Vmod Digest | <1.0.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this vulnerability?
The vulnerability ID is CVE-2023-41104.
What is the severity of CVE-2023-41104?
The severity of CVE-2023-41104 is medium.
What software is affected by CVE-2023-41104?
Varnish Enterprise 6.0.x versions before 6.0.11r5 and libvmod-digest versions before 1.0.3 are affected.
How does CVE-2023-41104 impact security?
CVE-2023-41104 can lead to both authentication bypass and information disclosure due to an out-of-bounds memory access during base64 decoding.
Where can I find more information about CVE-2023-41104?
You can find more information about CVE-2023-41104 at the following sources: - [Varnish Software Security Advisory VSV00012](https://docs.varnish-software.com/security/VSV00012/) - [libvmod-digest 1.0.3 Release](https://github.com/varnish/libvmod-digest/releases/tag/libvmod-digest-1.0.3) - [Varnish Cache Security Advisory VSV00012](https://www.varnish-cache.org/security/VSV00012.html)
- collector/nvd-api
- collector/nvd-index
- agent/author
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/epss-latest
- source/FIRST
- agent/remedy
- agent/severity
- agent/weakness
- agent/references
- agent/description
- agent/epss
- agent/event
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/varnish-software
- canonical/varnish-software varnish enterprise
- version/varnish-software varnish enterprise/6.0.0
- version/varnish-software varnish enterprise/6.0.11
- version/varnish-software varnish enterprise/6.0.11-r1
- version/varnish-software varnish enterprise/6.0.11-r2
- version/varnish-software varnish enterprise/6.0.11-r3
- version/varnish-software varnish enterprise/6.0.11-r4
- canonical/varnish-software vmod digest