VYPR

Varnish Enterprise

by Varnishcache

Source repositories

CVEs (5)

  • CVE-2024-30156HigMar 24, 2024
    risk 0.49cvss 7.5epss 0.04

    Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 LTS), and Varnish Enterprise 6 before 6.0.12r6, allows credits exhaustion for an HTTP/2 connection control flow window, aka a Broke Window Attack.

  • CVE-2025-47905MedMay 13, 2025
    risk 0.35cvss 5.4epss 0.00

    Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries.

  • CVE-2025-30346Mar 21, 2025
    risk 0.00cvss epss 0.00

    Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests.

  • CVE-2025-30347Mar 21, 2025
    risk 0.00cvss epss 0.00

    Varnish Enterprise before 6.0.13r13 allows remote attackers to obtain sensitive information via an out-of-bounds read for range requests on ephemeral MSE4 stevedore objects.

  • CVE-2021-36740Jul 14, 2021
    risk 0.00cvss epss 0.02

    Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS…