{"id":"CVE-2017-8807","details":"vbf_stp_error in bin/varnishd/cache/cache_fetch.c in Varnish HTTP Cache 4.1.x before 4.1.9 and 5.x before 5.2.1 allows remote attackers to obtain sensitive information from process memory because a VFP_GetStorage buffer is larger than intended in certain circumstances involving -sfile Stevedore transient objects.","modified":"2026-04-16T06:23:29.615661273Z","published":"2017-11-16T02:29:05.660Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/101886"},{"type":"ADVISORY","url":"https://www.debian.org/security/2017/dsa-4034"},{"type":"REPORT","url":"https://bugs.debian.org/881808"},{"type":"REPORT","url":"https://github.com/varnishcache/varnish-cache/pull/2429"},{"type":"FIX","url":"http://varnish-cache.org/security/VSV00002.html"},{"type":"FIX","url":"https://github.com/varnishcache/varnish-cache/commit/176f8a075a963ffbfa56f1c460c15f6a1a6af5a7"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/varnishcache/varnish-cache","events":[{"introduced":"3041728c596139834b789c424ad886306f30334c"},{"fixed":"5024f60c3a51f537279977989b645e983a946e1a"},{"introduced":"99d036fe0b49c7487edb7dfd0da10fc2eef30505"},{"fixed":"67e56248220057f59f794ecc95d7a644b8492fef"},{"fixed":"176f8a075a963ffbfa56f1c460c15f6a1a6af5a7"}],"database_specific":{"versions":[{"introduced":"4.1.0"},{"fixed":"4.1.9"},{"introduced":"5.0.0"},{"fixed":"5.2.1"}]}}],"versions":["varnish-4.1.0","varnish-4.1.1","varnish-4.1.1-beta1","varnish-4.1.1-beta2","varnish-4.1.2","varnish-4.1.2-beta1","varnish-4.1.2-beta2","varnish-4.1.3","varnish-4.1.3-beta1","varnish-4.1.3-beta2","varnish-4.1.4","varnish-4.1.4-beta1","varnish-4.1.4-beta2","varnish-4.1.4-beta3","varnish-4.1.5","varnish-4.1.5-beta1","varnish-4.1.5-beta2","varnish-4.1.6","varnish-4.1.7","varnish-4.1.8","varnish-5.0.0","varnish-5.1.0","varnish-5.1.1","varnish-5.1.2","varnish-5.2.0","varnish-5.2.0-rc1","varnish-5.2.0-rc2"],"database_specific":{"vanir_signatures_modified":"2026-04-11T04:59:54Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-8807.json","vanir_signatures":[{"deprecated":false,"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"317635809142638776188580053458899665848","length":2552},"source":"https://github.com/varnishcache/varnish-cache/commit/176f8a075a963ffbfa56f1c460c15f6a1a6af5a7","target":{"file":"bin/varnishd/cache/cache_fetch.c","function":"vbf_stp_error"},"id":"CVE-2017-8807-54507ce7"},{"deprecated":false,"target":{"file":"bin/varnishd/cache/cache_fetch.c"},"signature_version":"v1","digest":{"line_hashes":["35752772080807146568775274854838049175","62009287341324849338652974456371337353","297563870909354190281146502171842406048","182442623255090597664454248417396896307"],"threshold":0.9},"source":"https://github.com/varnishcache/varnish-cache/commit/176f8a075a963ffbfa56f1c460c15f6a1a6af5a7","signature_type":"Line","id":"CVE-2017-8807-db9d9e86"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"}]}