CVE-2015-8852
published 2016-04-25CVE-2015-8852: Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response…
PriorityP341high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
EPSS
3.43%
87.4th percentile
Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | varnish | < varnish 4.0.0-1 (bookworm) | varnish 4.0.0-1 (bookworm) |
| varnish-cache | varnish | >= 0 < 4.0.0-1 | 4.0.0-1 |
| varnish-cache | varnish | >= 0 < 4.0.0-1 | 4.0.0-1 |
| varnish-cache | varnish | >= 0 < 4.0.0-1 | 4.0.0-1 |
| varnish-cache | varnish | >= 0 < 4.0.0-1 | 4.0.0-1 |
| varnish_cache_project | varnish_cache | — | — |
| varnish_cache_project | varnish_cache | — | — |
| varnish_cache_project | varnish_cache | — | — |
| varnish_cache_project | varnish_cache | — | — |
| varnish_cache_project | varnish_cache | — | — |
| varnish_cache_project | varnish_cache | — | — |
| varnish_cache_project | varnish_cache | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rgw4-jfff-qx3m: Varnish 3
ghsa_unreviewed·2022-05-17
CVE-2015-8852 [HIGH] GHSA-rgw4-jfff-qx3m: Varnish 3
Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request.
OSV
CVE-2015-8852: Varnish 3
osv·2016-04-25·CVSS 7.5
CVE-2015-8852 [HIGH] CVE-2015-8852: Varnish 3
Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request.
Red Hat
varnish: http smuggling issues
vendor_redhat·2015-03-12·CVSS 7.5
CVE-2015-8852 [HIGH] CWE-113 varnish: http smuggling issues
varnish: http smuggling issues
Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request.
Package: rh-varnish4-varnish (Red Hat Software Collections) - Not affected
Debian
CVE-2015-8852: varnish - Varnish 3.x before 3.0.7, when used in certain stacked installations, allows rem...
vendor_debian·2015·CVSS 7.5
CVE-2015-8852 [HIGH] CVE-2015-8852: varnish - Varnish 3.x before 3.0.7, when used in certain stacked installations, allows rem...
Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request.
Scope: local
bookworm: resolved (fixed in 4.0.0-1)
bullseye: resolved (fixed in 4.0.0-1)
forky: resolved (fixed in 4.0.0-1)
sid: resolved (fixed in 4.0.0-1)
trixie: resolved (fixed in 4.0.0-1)
No detection rules found.
No public exploits indexed.
HackerOne
Multiple HTTP Smuggling reports
hackerone·2019-11-12·CVSS 9.8
[CRITICAL] Multiple HTTP Smuggling reports
Multiple HTTP Smuggling reports
Theses reports spreads other several years and are all about **HTTP Smuggling issues**
(HTTP Requests or Responses splitting, Cache Poisoning, Security filter bypass).
I've made reports on a wide range of open source projects, explaining
the (not always easy) problems to the various security maintainers and testing the fixs.
The starting point for this work was the 2005 work published by Amit Klein and some others:
* 2004 - Amit Klein : "Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics" https://packetstormsecurity.com/papers/general/whitepaper_httpresponse.pdf
* 2005 - Chaim Linhart, Amit Klein, Ronen Heled, Steve Orrin: "HTTP Request Smuggling" https://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
* 2006 -
Bugzilla
CVE-2015-8852 varnish: http smuggling issues
bugzilla·2016-04-19·CVSS 7.5
CVE-2015-8852 [HIGH] CVE-2015-8852 varnish: http smuggling issues
CVE-2015-8852 varnish: http smuggling issues
An old flaw found in Varnish 3 before 3.0.7 It combines two flaws in HTTP protocol handling which allow for HTTP Response Splitting attacks.
Upstream fix:
https://github.com/varnish/Varnish-Cache/commit/29870c8fe95e4e8a672f6f28c5fbe692bea09e9c
https://github.com/varnish/Varnish-Cache/commit/85e8468bec9416bd7e16b0d80cb820ecd2b330c3
References:
http://seclists.org/oss-sec/2016/q2/81
Discussion:
Created varnish tracking bugs for this issue:
Affects: epel-5 [bug 1328362]
Affects: epel-6 [bug 1328363]
Bugzilla
CVE-2015-8852 varnish: http smuggling issues [epel-5]
bugzilla·2016-04-19·CVSS 7.5
CVE-2015-8852 [HIGH] CVE-2015-8852 varnish: http smuggling issues [epel-5]
CVE-2015-8852 varnish: http smuggling issues [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bugs]
Discussion:
Use the fol
Bugzilla
CVE-2015-8852 varnish: http smuggling issues [epel-6]
bugzilla·2016-04-19·CVSS 7.5
CVE-2015-8852 [HIGH] CVE-2015-8852 varnish: http smuggling issues [epel-6]
CVE-2015-8852 varnish: http smuggling issues [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bugs]
Discussion:
Use the fol
http://lists.opensuse.org/opensuse-updates/2016-05/msg00064.htmlhttp://www.debian.org/security/2016/dsa-3553http://www.openwall.com/lists/oss-security/2016/04/16/1http://www.openwall.com/lists/oss-security/2016/04/18/7https://github.com/varnish/Varnish-Cache/commit/29870c8fe95e4e8a672f6f28c5fbe692bea09e9chttps://github.com/varnish/Varnish-Cache/commit/85e8468bec9416bd7e16b0d80cb820ecd2b330c3https://security.gentoo.org/glsa/201607-10https://www.varnish-cache.org/lists/pipermail/varnish-announce/2015-March/000701.htmlhttp://lists.opensuse.org/opensuse-updates/2016-05/msg00064.htmlhttp://www.debian.org/security/2016/dsa-3553http://www.openwall.com/lists/oss-security/2016/04/16/1http://www.openwall.com/lists/oss-security/2016/04/18/7https://github.com/varnish/Varnish-Cache/commit/29870c8fe95e4e8a672f6f28c5fbe692bea09e9chttps://github.com/varnish/Varnish-Cache/commit/85e8468bec9416bd7e16b0d80cb820ecd2b330c3https://security.gentoo.org/glsa/201607-10https://www.varnish-cache.org/lists/pipermail/varnish-announce/2015-March/000701.html
2016-04-25
Published