rpm package
almalinux/varnish-modules
pkg:rpm/almalinux/varnish-modules
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-47905 | Med | 5.4 | < 0.15.0-6.module_el8.9.0+3826+307eaba4 | 0.15.0-6.module_el8.9.0+3826+307eaba4 | May 13, 2025 | Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries. | |
| CVE-2024-30156 | Hig | 7.5 | < 0.15.0-6.module_el8.5.0+2620+03a0c2cc | 0.15.0-6.module_el8.5.0+2620+03a0c2cc | Mar 24, 2024 | Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 LTS), and Varnish Enterprise 6 before 6.0.12r6, allows credits exhaustion for an HTTP/2 connection control flow window, aka a Broke Window Attack. | |
| CVE-2023-44487 | Hig | 7.5 | KEV | < 0.15.0-6.module_el8.5.0+2620+03a0c2cc | 0.15.0-6.module_el8.5.0+2620+03a0c2cc | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2022-45060 | — | < 0.15.0-6.module_el8.5.0+2620+03a0c2cc | 0.15.0-6.module_el8.5.0+2620+03a0c2cc | Nov 9, 2022 | An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish ser | ||
| CVE-2022-23959 | — | < 0.15.0-6.module_el8.5.0+2620+03a0c2cc | 0.15.0-6.module_el8.5.0+2620+03a0c2cc | Jan 26, 2022 | In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections. |
- affected < 0.15.0-6.module_el8.9.0+3826+307eaba4fixed 0.15.0-6.module_el8.9.0+3826+307eaba4
Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries.
- affected < 0.15.0-6.module_el8.5.0+2620+03a0c2ccfixed 0.15.0-6.module_el8.5.0+2620+03a0c2cc
Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 LTS), and Varnish Enterprise 6 before 6.0.12r6, allows credits exhaustion for an HTTP/2 connection control flow window, aka a Broke Window Attack.
- affected < 0.15.0-6.module_el8.5.0+2620+03a0c2ccfixed 0.15.0-6.module_el8.5.0+2620+03a0c2cc
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2022-45060Nov 9, 2022affected < 0.15.0-6.module_el8.5.0+2620+03a0c2ccfixed 0.15.0-6.module_el8.5.0+2620+03a0c2cc
An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish ser
- CVE-2022-23959Jan 26, 2022affected < 0.15.0-6.module_el8.5.0+2620+03a0c2ccfixed 0.15.0-6.module_el8.5.0+2620+03a0c2cc
In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.