Varnish is vulnerable to HTTP request smuggling. The vulnerability exists in h2h_addhdr
function of cache_http2_hpack.c
due to discrepancies in parsing HTTP requests which allows an attacker to smuggle HTTP requests.
docs.varnish-software.com/security/VSV00011
lists.debian.org/debian-lts-announce/2022/11/msg00036.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6ZMOZVBLZXHEV5VRW4I4SOWLQEK5OF5/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XGF6LFTHXCSYMYUX5HLMVXQH3WHCSFLU/
lists.fedoraproject.org/archives/list/[email protected]/message/G6ZMOZVBLZXHEV5VRW4I4SOWLQEK5OF5/
lists.fedoraproject.org/archives/list/[email protected]/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/
lists.fedoraproject.org/archives/list/[email protected]/message/XGF6LFTHXCSYMYUX5HLMVXQH3WHCSFLU/
security-tracker.debian.org/tracker/CVE-2022-45060
varnish-cache.org/security/VSV00011.html
www.debian.org/security/2023/dsa-5334