QwikSec

Security Database

CVE

CWE

Training

CVE-2015-8852

Published: Apr 25, 2016

Modified: Aug 6, 2024

PUBLISHED

Description

Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

vendor-advisory

x_refsource_DEBIAN

[varnish-announce] 20150323 Varnish 3.0.7 released.

mailing-list

x_refsource_MLIST

[oss-security] 20160418 Re: CVE request: Varnish 3 before 3.0.7 was vulnerable to HTTP Smuggling issues: Double Content Length and bad EOL

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_GENTOO

https://github.com/varnish/Varnish-Cache/commit/29870c8fe95e4e8a672f6f28c5fbe692bea09e9c

x_refsource_CONFIRM

https://github.com/varnish/Varnish-Cache/commit/85e8468bec9416bd7e16b0d80cb820ecd2b330c3

x_refsource_CONFIRM

[oss-security] 20160416 CVE request: Varnish 3 before 3.0.7 was vulnerable to HTTP Smuggling issues: Double Content Length and bad EOL

mailing-list

x_refsource_MLIST

openSUSE-SU-2016:1316

vendor-advisory

x_refsource_SUSE

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.