Varnish Cache Security Vulnerabilities and Issues — Varnish Cache CVE List

Lucene search

Varnish Cache ProjectVarnish Cache

8 matches found

CVE•added 2023/10/10 2:15 p.m.•4422 views

CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

7.5CVSS8AI score0.94434EPSS

CVE•added 2019/09/03 9:15 p.m.•1377 views

CVE-2019-15892

An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to trigger an assert by sending crafted HTTP/1 requests. The assert will cause an automatic restart with a clean cache, which makes it a Denial of Service ...

7.8CVSS7.2AI score0.05554EPSS

CVE•added 2017/08/04 9:29 a.m.•145 views

CVE-2017-12425

An issue was discovered in Varnish HTTP Cache 4.0.1 through 4.0.4, 4.1.0 through 4.1.7, 5.0.0, and 5.1.0 through 5.1.2. A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert, related to an Integer Overflow. This causes the varn...

7.5CVSS7.2AI score0.00823EPSS

CVE•added 2022/08/11 1:15 a.m.•110 views

CVE-2022-38150

In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1.

7.5CVSS7AI score0.00276EPSS

CVE•added 2022/11/09 6:15 a.m.•109 views

CVE-2022-45060

An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce inva...

7.5CVSS7.3AI score0.00329EPSS

CVE•added 2022/11/09 6:15 a.m.•71 views

CVE-2022-45059

An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.

7.5CVSS7.2AI score0.00465EPSS

CVE•added 2016/04/25 2:59 p.m.•53 views

CVE-2015-8852

Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP ...

7.5CVSS7.3AI score0.01221EPSS

CVE•added 2020/02/12 4:15 p.m.•42 views

CVE-2013-4090

Varnish HTTP cache before 3.0.4: ACL bug

7.5CVSS7.5AI score0.00351EPSS