ID CVE-2015-8852
Summary Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request.
References
Vulnerable Configurations
  • Varnish Cache Varnish 3.0.6
    cpe:2.3:a:varnish-cache:varnish:3.0.6
  • Varnish Cache Varnish 3.0.5
    cpe:2.3:a:varnish-cache:varnish:3.0.5
  • Varnish Cache Varnish 3.0.4
    cpe:2.3:a:varnish-cache:varnish:3.0.4
  • Varnish Cache Varnish 3.0.3
    cpe:2.3:a:varnish-cache:varnish:3.0.3
  • Varnish Cache Varnish 3.0.2
    cpe:2.3:a:varnish-cache:varnish:3.0.2
  • Varnish Cache Varnish 3.0.1
    cpe:2.3:a:varnish-cache:varnish:3.0.1
  • Varnish-Cache Varnish 3.0.0 Beta 2
    cpe:2.3:a:varnish-cache:varnish:3.0.0:beta2
  • Varnish-Cache Varnish 3.0.0 Beta 1
    cpe:2.3:a:varnish-cache:varnish:3.0.0:beta1
  • Debian Linux 7.0
    cpe:2.3:o:debian:debian_linux:7.0
CVSS
Base: 5.0 (as of 05-05-2016 - 13:56)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-588.NASL
    description This varnish update to version 3.0.7 fixes the following issues : Security issues fixed : - CVE-2015-8852: Vulnerable to HTTP Smuggling issues: Double Content Length and bad EOL. (boo#976097) Bugs fixed : - Stop recognizing a single CR (\r) as a HTTP line separator. - Improved error detection on master-child process communication, leading to faster recovery (child restart) if communication loses sync. - Fix a corner-case where Content-Length was wrong for HTTP 1.0 clients, when using gzip and streaming. - More robust handling of hop-by-hop headers. - Avoid memory leak when adding bans.
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 91205
    published 2016-05-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91205
    title openSUSE Security Update : varnish (openSUSE-2016-588)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201607-10.NASL
    description The remote host is affected by the vulnerability described in GLSA-201607-10 (Varnish: Multiple vulnerabilities) Varnish fails to properly validate input from HTTP headers, and does not deny requests with multiple Content-Length headers. Impact : Remote attackers could conduct an HTTP response splitting attack, which may further enable them to conduct Cross-Site Scripting (XSS), Cache Poisoning, Defacement, and Page Hijacking. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2016-10-10
    plugin id 92480
    published 2016-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92480
    title GLSA-201607-10 : Varnish: Multiple vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3553.NASL
    description Regis Leroy from Makina Corpus discovered that varnish, a caching HTTP reverse proxy, is vulnerable to HTTP smuggling issues, potentially resulting in cache poisoning or bypassing of access control policies.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 90686
    published 2016-04-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90686
    title Debian DSA-3553-1 : varnish - security update
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-721.NASL
    description Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request. (CVE-2015-8852)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 92223
    published 2016-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92223
    title Amazon Linux AMI : varnish (ALAS-2016-721)
refmap via4
confirm
debian DSA-3553
gentoo GLSA-201607-10
mlist
  • [oss-security] 20160416 CVE request: Varnish 3 before 3.0.7 was vulnerable to HTTP Smuggling issues: Double Content Length and bad EOL
  • [oss-security] 20160418 Re: CVE request: Varnish 3 before 3.0.7 was vulnerable to HTTP Smuggling issues: Double Content Length and bad EOL
  • [varnish-announce] 20150323 Varnish 3.0.7 released.
suse openSUSE-SU-2016:1316
Last major update 30-11-2016 - 22:01
Published 25-04-2016 - 10:59
Back to Top