Vulnerabilities > Varnish Cache Project
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-10 | CVE-2023-44487 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | 7.5 |
| 2022-11-09 | CVE-2022-45059 | HTTP Request Smuggling vulnerability in multiple products An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. | 7.5 |
| 2022-11-09 | CVE-2022-45060 | An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. | 7.5 |
| 2022-08-11 | CVE-2022-38150 | In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. | 7.5 |
| 2022-01-26 | CVE-2022-23959 | HTTP Request Smuggling vulnerability in multiple products In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections. | 9.1 |
| 2021-07-14 | CVE-2021-36740 | HTTP Request Smuggling vulnerability in multiple products Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. network low complexity varnish-cache varnish-cache-project varnish-software fedoraproject debian CWE-444 | 6.5 |
| 2020-02-12 | CVE-2013-4090 | Unspecified vulnerability in Varnish Cache Project Varnish Cache Varnish HTTP cache before 3.0.4: ACL bug | 7.5 |
| 2019-09-03 | CVE-2019-15892 | Reachable Assertion vulnerability in multiple products An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. | 7.5 |
| 2017-11-16 | CVE-2017-8807 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products vbf_stp_error in bin/varnishd/cache/cache_fetch.c in Varnish HTTP Cache 4.1.x before 4.1.9 and 5.x before 5.2.1 allows remote attackers to obtain sensitive information from process memory because a VFP_GetStorage buffer is larger than intended in certain circumstances involving -sfile Stevedore transient objects. | 9.1 |
| 2017-08-04 | CVE-2017-12425 | Integer Overflow or Wraparound vulnerability in multiple products An issue was discovered in Varnish HTTP Cache 4.0.1 through 4.0.4, 4.1.0 through 4.1.7, 5.0.0, and 5.1.0 through 5.1.2. | 7.5 |