{"api_version":"1","generated_at":"2026-04-23T01:11:53+00:00","cve":"CVE-2019-20637","urls":{"html":"https://cve.report/CVE-2019-20637","api":"https://cve.report/api/cve/CVE-2019-20637.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-20637","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-20637"},"summary":{"title":"CVE-2019-20637","description":"An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connection workspace, such as data structures associated with previous requests within this connection or VCL-related temporary headers.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2020-04-08 23:15:00","updated_at":"2022-08-02 19:03:00"},"problem_types":["CWE-212"],"metrics":[],"references":[{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00031.html","name":"openSUSE-SU-2020:0819","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:0819-1: moderate: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00026.html","name":"openSUSE-SU-2020:0808","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:0808-1: moderate: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://varnish-cache.org/security/VSV00004.html#vsv00004","name":"http://varnish-cache.org/security/VSV00004.html#vsv00004","refsource":"MISC","tags":["Vendor Advisory"],"title":"VSV00004 Workspace information leak — Varnish HTTP Cache","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-20637","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-20637","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"20637","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"opensuse","cpe5":"backports_sle","cpe6":"15.0","cpe7":"sp1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"20637","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"leap","cpe6":"15.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"20637","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"varnish-cache","cpe5":"varnish_cache","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"20637","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"varnish-cache","cpe5":"varnish_cache","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"20637","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"varnish-cache","cpe5":"varnish_cache","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"20637","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"varnish-cache","cpe5":"varnish_cache","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"20637","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"varnish-software","cpe5":"varnish_cache","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-20637","qid":"198827","title":"Ubuntu Security Notification for Varnish Cache Vulnerabilities (USN-5474-1)"},{"cve":"CVE-2019-20637","qid":"376890","title":"Alibaba Cloud Linux Security Update for varnish:6 (ALINUX3-SA-2022:0024)"},{"cve":"CVE-2019-20637","qid":"940035","title":"AlmaLinux Security Update for varnish:6 (ALSA-2020:4756)"},{"cve":"CVE-2019-20637","qid":"960778","title":"Rocky Linux Security Update for varnish:6 (RLSA-2020:4756)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2019-20637","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connection workspace, such as data structures associated with previous requests within this connection or VCL-related temporary headers."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"http://varnish-cache.org/security/VSV00004.html#vsv00004","refsource":"MISC","name":"http://varnish-cache.org/security/VSV00004.html#vsv00004"},{"refsource":"SUSE","name":"openSUSE-SU-2020:0819","url":"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00031.html"},{"refsource":"SUSE","name":"openSUSE-SU-2020:0808","url":"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00026.html"}]}},"nvd":{"publishedDate":"2020-04-08 23:15:00","lastModifiedDate":"2022-08-02 19:03:00","problem_types":["CWE-212"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:varnish-cache:varnish_cache:*:*:*:*:-:*:*:*","versionStartIncluding":"6.1.0","versionEndExcluding":"6.2.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:varnish-cache:varnish_cache:*:*:*:*:-:*:*:*","versionStartIncluding":"6.3.0","versionEndExcluding":"6.3.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:lts:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.0.5","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"20637","Ordinal":"172344","Title":"CVE-2019-20637","CVE":"CVE-2019-20637","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"20637","Ordinal":"1","NoteData":"An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connection workspace, such as data structures associated with previous requests within this connection or VCL-related temporary headers.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"20637","Ordinal":"2","NoteData":"2020-04-08","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"20637","Ordinal":"3","NoteData":"2020-06-16","Type":"Other","Title":"Modified"}]}}}