Varnish Cache Project: >> Varnish Cache >> 3.0.0 Security Vulnerabilities
Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests.
CVSS Score
5.4
EPSS Score
0.001
Published
2025-03-21
CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Known exploited
CVSS Score
7.5
EPSS Score
0.944
Published
2023-10-10
Varnish HTTP cache before 3.0.4: ACL bug
CVSS Score
7.5
EPSS Score
0.004
Published
2020-02-12
Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request.
CVSS Score
7.5
EPSS Score
0.011
Published
2016-04-25
Varnish before 3.0.5 allows remote attackers to cause a denial of service (child-process crash and temporary caching outage) via a GET request with trailing whitespace characters and no URI.
CVSS Score
5.0
EPSS Score
0.015
Published
2013-11-01