High severity7.5NVD Advisory· Published Apr 25, 2016· Updated May 6, 2026
CVE-2015-8852
CVE-2015-8852
Description
Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request.
Affected products
9cpe:2.3:a:varnish_cache_project:varnish_cache:3.0.0:beta1:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:varnish_cache_project:varnish_cache:3.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:varnish_cache_project:varnish_cache:3.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:varnish_cache_project:varnish_cache:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:varnish_cache_project:varnish_cache:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:varnish_cache_project:varnish_cache:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:varnish_cache_project:varnish_cache:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:varnish_cache_project:varnish_cache:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:varnish_cache_project:varnish_cache:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- www.varnish-cache.org/lists/pipermail/varnish-announce/2015-March/000701.htmlnvdVendor Advisory
- lists.opensuse.org/opensuse-updates/2016-05/msg00064.htmlnvd
- www.debian.org/security/2016/dsa-3553nvd
- www.openwall.com/lists/oss-security/2016/04/16/1nvd
- www.openwall.com/lists/oss-security/2016/04/18/7nvd
- github.com/varnish/Varnish-Cache/commit/29870c8fe95e4e8a672f6f28c5fbe692bea09e9cnvd
- github.com/varnish/Varnish-Cache/commit/85e8468bec9416bd7e16b0d80cb820ecd2b330c3nvd
- security.gentoo.org/glsa/201607-10nvd
News mentions
0No linked articles in our index yet.