Varnish Enterprise before 6.0.16r12 allows a "workspace overflow" denial of service (daemon panic) for shared VCL. The headerplus.write_req0() function from vmod_headerplus updates the underlying req0, which is normally the original read-only request from which req is derived (readable and writable from VCL). This is useful in the active VCL, after amending req, to prepare a refined req0 before switching to a different VCL with the return (vcl(<label>)) action. This is for example how the Varnish Controller operates shared VCL deployments. If the amended req contained too many header fields for req0, this would have resulted in a workspace overflow that would in turn trigger a panic and crash the Varnish Enterprise server. This could be used as a Denial of Service attack vector by malicious clients.
3.0.4-1ubuntu13.0.4-1ubuntu23.0.5-1ubuntu23.0.5-23.0.5-2ubuntu0.17.1.1-1.1ubuntu17.7.0-17.7.0-27.7.0-37.7.3-14.0.3-14.1.0-14.1.0-24.1.1-14.1.1-1ubuntu0.24.1.1-1ubuntu0.2+esm15.0.0-7.15.2.1-15.2.1-1ubuntu0.15.2.1-1ubuntu0.1+esm16.1.1-16.2.1-26.2.1-2ubuntu0.16.2.1-2ubuntu0.1~esm16.2.1-2ubuntu0.1~esm26.2.1-2ubuntu0.26.2.1-2ubuntu0.2+esm16.5.2-16.6.1-16.6.1-1ubuntu0.26.6.1-1ubuntu0.2+esm1Exploitability
AV:NAC:HPR:NUI:NScope
S:CImpact
C:NI:NA:LCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L