Varnish · Varnish · CVE-2015-8852
**Name of the Vulnerable Software and Affected Versions**
Varnish versions 3.x through 3.0.6
**Description**
The issue allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request. This occurs when Varnish is used in certain stacked installations.
**Recommendations**
For Varnish versions 3.x through 3.0.6, update to version 3.0.7 or later to resolve the issue.