DRUPAL-CONTRIB-2024-033

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/adv_varnish/DRUPAL-CONTRIB-2024-033.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-033

Aliases

CVE-2024-13269

Published

2024-08-28T15:32:41Z

Modified

2025-12-10T23:41:26.203168Z

Summary

[none]

Details

This module enables you to cache pages for logged in users at the Varnish level.

The Varnish bin names may be guessable when no hashing noise configuration is set on the module configuration page, which would ultimately allow any user to view cached pages that were intended for other roles when guessing such a bin name.

References

https://www.drupal.org/sa-contrib-2024-033

Credits

- Heine Deelstra
- - https://www.drupal.org/user/17943

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/adv_varnish

Package

Name: drupal/adv_varnish
Purl: pkg:composer/drupal/adv_varnish

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

4.0.11

Database specific

{
    "constraint": "<4.0.11"
}

Database specific

affected_versions

"<4.0.11"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/adv_varnish/DRUPAL-CONTRIB-2024-033.json"