Search for packages
| purl | pkg:deb/debian/varnish@4.0.2-1 |
| Next non-vulnerable version | 7.1.1-2+deb12u1 |
| Latest non-vulnerable version | 7.1.1-2+deb12u1 |
| Risk | 4.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-9494-9tdz-jkeb
Aliases: CVE-2022-45060 VSV00011 |
An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected. |
Affected by 4 other vulnerabilities. |
|
VCID-c4pk-mc4n-wyh9
Aliases: CVE-2025-30346 VSV00015 |
varnish: Client-Side Desynchronization in Varnish Cache |
Affected by 2 other vulnerabilities. |
|
VCID-dkhk-j3eu-53he
Aliases: CVE-2022-23959 |
In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections. |
Affected by 8 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-e5uu-kd2t-wugu
Aliases: CVE-2017-12425 |
denial of service |
Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-kz93-hnzv-dyfe
Aliases: CVE-2021-36740 |
url request injection |
Affected by 8 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-pb7u-beyt-fbet
Aliases: CVE-2025-47905 |
content spoofing |
Affected by 2 other vulnerabilities. |
|
VCID-pmv8-cheb-vfbu
Aliases: CVE-2017-8807 |
information disclosure |
Affected by 10 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-qswj-nhpw-3qgr
Aliases: CVE-2020-11653 |
An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss. |
Affected by 4 other vulnerabilities. |
|
VCID-xdnk-3eyc-quas
Aliases: CVE-2019-15892 |
varnish: denial of service handling certain crafted HTTP/1 requests |
Affected by 8 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-zb85-shgd-9qcq
Aliases: CVE-2019-20637 |
An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connection workspace, such as data structures associated with previous requests within this connection or VCL-related temporary headers. |
Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-71z4-hapa-3ka5 | Varnish before 3.0.5 allows remote attackers to cause a denial of service (child-process crash and temporary caching outage) via a GET request with trailing whitespace characters and no URI. |
CVE-2013-4484
|
| VCID-gn2f-m6w9-q3c5 | Varnish HTTP cache before 3.0.4: ACL bug |
CVE-2013-4090
|
| VCID-jvtv-q37u-e3fm | varnish: http smuggling issues |
CVE-2015-8852
|