Critical severity9.1NVD Advisory· Published Nov 16, 2017· Updated May 13, 2026

CVE-2017-8807

Description

vbf_stp_error in bin/varnishd/cache/cache_fetch.c in Varnish HTTP Cache 4.1.x before 4.1.9 and 5.x before 5.2.1 allows remote attackers to obtain sensitive information from process memory because a VFP_GetStorage buffer is larger than intended in certain circumstances involving -sfile Stevedore transient objects.

Affected products

Varnish Cache Project/Varnish Cache
cpe:2.3:a:varnish_cache_project:varnish_cache:*:*:*:*:*:*:*:*
Range: >=5.0.0,<5.2.1
Varnish.projects.linpro/Varnish
cpe:2.3:a:varnish-cache:varnish:*:*:*:*:*:*:*:*
Range: >=4.1.0,<4.1.9
Debian/Debian Linux
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

varnish-cache.org/security/VSV00002.htmlnvdPatchVendor Advisory
github.com/varnishcache/varnish-cache/commit/176f8a075a963ffbfa56f1c460c15f6a1a6af5a7nvdPatchVendor Advisory
www.securityfocus.com/bid/101886nvdThird Party AdvisoryVDB Entry
bugs.debian.org/881808nvdIssue TrackingThird Party Advisory
github.com/varnishcache/varnish-cache/pull/2429nvdIssue TrackingVendor Advisory
www.debian.org/security/2017/dsa-4034nvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.591
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000