Upstream information
Description
Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries.SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
CNA (MITRE) | |
---|---|
Base Score | 5.4 |
Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N |
Attack Vector | Network |
Attack Complexity | High |
Privileges Required | None |
User Interaction | None |
Scope | Changed |
Confidentiality Impact | Low |
Integrity Impact | Low |
Availability Impact | None |
CVSSv3 Version | 3.1 |
SUSE Security Advisories:
- RHSA-2025:8336, published Wed Jun 4 15:06:43 UTC 2025
- RHSA-2025:8337, published Wed Jun 4 15:06:45 UTC 2025
List of released packages
Product(s) | Fixed package version(s) | References |
---|---|---|
SUSE Liberty Linux 8 |
| Patchnames: RHSA-2025:8336 |
SUSE Liberty Linux 9 |
| Patchnames: RHSA-2025:8337 |
SUSE Timeline for this CVE
CVE page created: Wed May 14 02:01:29 2025CVE page last modified: Thu Aug 7 01:35:59 2025