7 matches found
CVE-2019-15892
CVE-2019-15892 affects Varnish Cache before 6.0.4 LTS and 6.1.x and before 6.2.1 in the 6.2.x line. An HTTP/1 parsing failure allows a remote attacker to trigger an assert, causing an automatic restart with a clean cache and resulting in a Denial of Service. The available fixes are to upgrade to ...
CVE-2022-23959
CVE-2022-23959 affects Varnish Cache and related variants, where HTTP/1 connections are vulnerable to a request smuggling flaw in versions before 6.6.2 (and 7.x before 7.0.2), 6.0 LTS before 6.0.10, and Varnish Enterprise/Cache Plus before 4.1.11r6 and 6.0.9r4. The root cause is improper handling...
CVE-2020-11653
CVE-2020-11653 affects Varnish Cache prior to 6.0.6 LTS, 6.1.x prior to 6.2.3, and 6.3.x prior to 6.3.2. When a TLS termination proxy uses PROXY v2, an assertion failure can occur, causing the varnishd daemon to restart and leading to performance loss. Connected advisories (Debian/Ubuntu/Rocky) r...
CVE-2019-20637
Varnish Cache (versions before 6.0.5 LTS, 6.1.x before 6.2.2, and 6.3.x before 6.3.1) is affected by CVE-2019-20637. The vulnerability arises because a pointer is not cleared between handling successive client requests on the same TCP connection, which can allow disclosure of data from the connec...
CVE-2021-36740
Varnish Cache, with HTTP/2 enabled, is vulnerable to request smuggling and VCL authorization bypass via a large Content-Length header in POST requests. Affected: Varnish Enterprise 6.0.x before 6.0.8r3; Varnish Cache 5.x and 6.x before 6.5.2; 6.6.x before 6.6.1; and 6.0 LTS before 6.0.8. Mitigati...
CVE-2022-45060
CVE-2022-45060 – Varnish Cache HTTP/2 header forgery affects Varnish Cache 5.x and 6.x up to before 6.0.11, 7.x up to before 7.1.2, and 7.2.x up to before 7.2.1. An attacker can inject characters in HTTP/2 pseudo-headers that are invalid for HTTP/1 request lines, causing the Varnish server to gen...
CVE-2017-12425
Varnish HTTP Cache contains a denial-of-service vulnerability (CVE-2017-12425) due to a wrong if statement in varnishd that can cause an assertion when processing invalid client requests. This bug affects multiple releases: 4.0.1–4.0.4, 4.1.0–4.1.7, 5.0.0, and 5.1.0–5.1.2. Exploitation leads to t...