Search for packages
| purl | pkg:deb/debian/varnish@1.1.2 |
| Next non-vulnerable version | 7.1.1-2+deb12u1 |
| Latest non-vulnerable version | 7.1.1-2+deb12u1 |
| Risk | 4.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-71z4-hapa-3ka5
Aliases: CVE-2013-4484 |
Varnish before 3.0.5 allows remote attackers to cause a denial of service (child-process crash and temporary caching outage) via a GET request with trailing whitespace characters and no URI. |
Affected by 13 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-9494-9tdz-jkeb
Aliases: CVE-2022-45060 VSV00011 |
An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected. |
Affected by 4 other vulnerabilities. |
|
VCID-bvwx-zvrz-n7fd
Aliases: CVE-2009-2936 |
The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitrary file via a vcl.load directive; or (4) conduct cross-site request forgery (CSRF) attacks that leverage a victim's location on a trusted network and improper input validation of directives. NOTE: the vendor disputes this report, saying that it is "fundamentally misguided and pointless. |
Affected by 13 other vulnerabilities. |
|
VCID-c4pk-mc4n-wyh9
Aliases: CVE-2025-30346 VSV00015 |
varnish: Client-Side Desynchronization in Varnish Cache |
Affected by 2 other vulnerabilities. |
|
VCID-dkhk-j3eu-53he
Aliases: CVE-2022-23959 |
In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections. |
Affected by 8 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-e5uu-kd2t-wugu
Aliases: CVE-2017-12425 |
denial of service |
Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-gn2f-m6w9-q3c5
Aliases: CVE-2013-4090 |
Varnish HTTP cache before 3.0.4: ACL bug |
Affected by 10 other vulnerabilities. |
|
VCID-jvtv-q37u-e3fm
Aliases: CVE-2015-8852 |
varnish: http smuggling issues |
Affected by 13 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-kz93-hnzv-dyfe
Aliases: CVE-2021-36740 |
url request injection |
Affected by 8 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-pb7u-beyt-fbet
Aliases: CVE-2025-47905 |
content spoofing |
Affected by 2 other vulnerabilities. |
|
VCID-pmv8-cheb-vfbu
Aliases: CVE-2017-8807 |
information disclosure |
Affected by 10 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-qswj-nhpw-3qgr
Aliases: CVE-2020-11653 |
An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss. |
Affected by 4 other vulnerabilities. |
|
VCID-xdnk-3eyc-quas
Aliases: CVE-2019-15892 |
varnish: denial of service handling certain crafted HTTP/1 requests |
Affected by 8 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-zb85-shgd-9qcq
Aliases: CVE-2019-20637 |
An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connection workspace, such as data structures associated with previous requests within this connection or VCL-related temporary headers. |
Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||