Cyber Resilience

CVE-2021-28543

Medium

Published: 16 March 2021

Published
16 March 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 4.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
EPSS Score 0.0092 76.4th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-28543 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Varnish-Cache Varnish-Modules. Its CVSS base score is 4.0 (Medium).

Operationally, ranked in the top 23.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Varnish varnish-modules before 0.17.1 allows remote attackers to cause a denial of service (daemon restart) in some configurations. This does not affect organizations that only install the Varnish Cache product; however, it is common to install both Varnish Cache and…

more

varnish-modules. Specifically, an assertion failure or NULL pointer dereference can be triggered in Varnish Cache through the varnish-modules header.append() and header.copy() functions. For some Varnish Configuration Language (VCL) files, this gives remote clients an opportunity to cause a Varnish Cache restart. A restart reduces overall availability and performance due to an increased number of cache misses, and may cause higher load on backend servers.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

varnish-cache
varnish-modules
≤ 0.17.1
varnish-cache
varnish-modules klarlack
≤ 0.17.1
fedoraproject
fedora
34

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References