CVE-2015-8852

Published: Apr 25, 2016Modified: May 6, 2026

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request.

Affected (9)

Products: Varnish Cache Project: Varnish Cache · Debian: Debian Linux

Varnish Cache Project

1 product

1 product

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Varnish Cache Project Varnish Cache	Version 3.0.0 beta1
Varnish Cache Project Varnish Cache	Version 3.0.0 beta2
Varnish Cache Project Varnish Cache	Version 3.0.1
Varnish Cache Project Varnish Cache	Version 3.0.2
Varnish Cache Project Varnish Cache	Version 3.0.3
Varnish Cache Project Varnish Cache	Version 3.0.4
Varnish Cache Project Varnish Cache	Version 3.0.5
Varnish Cache Project Varnish Cache	Version 3.0.6

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 7.0

References (16)

http://lists.opensuse.org/opensuse-updates/2016-05/msg00064.html

Source: cve@mitre.org

http://www.debian.org/security/2016/dsa-3553

Source: cve@mitre.org

http://www.openwall.com/lists/oss-security/2016/04/16/1

Source: cve@mitre.org

http://www.openwall.com/lists/oss-security/2016/04/18/7

Source: cve@mitre.org

https://github.com/varnish/Varnish-Cache/commit/29870c8fe95e4e8a672f6f28c5fbe692bea09e9c

Source: cve@mitre.org

https://github.com/varnish/Varnish-Cache/commit/85e8468bec9416bd7e16b0d80cb820ecd2b330c3

Source: cve@mitre.org

https://security.gentoo.org/glsa/201607-10

Source: cve@mitre.org

https://www.varnish-cache.org/lists/pipermail/varnish-announce/2015-March/000701.html

Source: cve@mitre.org

Vendor Advisory

http://lists.opensuse.org/opensuse-updates/2016-05/msg00064.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2016/dsa-3553

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2016/04/16/1

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2016/04/18/7

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/varnish/Varnish-Cache/commit/29870c8fe95e4e8a672f6f28c5fbe692bea09e9c

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/varnish/Varnish-Cache/commit/85e8468bec9416bd7e16b0d80cb820ecd2b330c3

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/201607-10

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.varnish-cache.org/lists/pipermail/varnish-announce/2015-March/000701.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.