AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 LTS), and Varnish Enterprise 6 before 6.0.12r6, allows credits exhaustion for an HTTP/2 connection control flow window, aka a Broke Window Attack.
varnish-cache.org/docs/7.5/whats-new/changes-7.5.html#security
varnish-cache.org/security/VSV00014.html