CVE-2022-45060
Last modified
CVE-2022-45060 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. EPSS estimates a 0.93% chance of exploitation in the next 30 days.
Description
An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Varnish-Software | Varnish Cache | >= 6.0.0, < 6.0.11 | — |
| Varnish-Software | Varnish Cache Plus | 6.0.0 | — |
| Varnish-Software | Varnish Cache Plus | 6.0.1 | R1 |
| Varnish-Software | Varnish Cache Plus | 6.0.2 | R1 |
| Varnish-Software | Varnish Cache Plus | 6.0.3 | R1 |
| Varnish-Software | Varnish Cache Plus | 6.0.4 | R1 |
| Varnish-Software | Varnish Cache Plus | 6.0.5 | R1 |
| Varnish-Software | Varnish Cache Plus | 6.0.6 | R1 |
| Varnish-Software | Varnish Cache Plus | 6.0.7 | R1 |
| Varnish-Software | Varnish Cache Plus | 6.0.8 | R1 |
| Varnish-Software | Varnish Cache Plus | 6.0.9 | R1 |
| Varnish-Software | Varnish Cache Plus | 6.0.10 | R1 |
| Varnish Cache Project | Varnish Cache | >= 5.0.0, < 6.0.11 | — |
| Varnish Cache Project | Varnish Cache | >= 7.0.0, < 7.1.2 | — |
| Varnish Cache Project | Varnish Cache | 7.2.0 | — |
| Fedoraproject | Fedora | 35 | — |
| Fedoraproject | Fedora | 36 | — |
| Fedoraproject | Fedora | 37 | — |
| Debian | Debian Linux | 10.0 | — |
| Debian | Debian Linux | 11.0 | — |
References
- https://docs.varnish-software.com/security/VSV00011Mitigation, Vendor Advisory
- https://lists.debian.org/debian-lts-announce/2022/11/msg00036.htmlMailing List, Third Party Advisory
- https://varnish-cache.org/security/VSV00011.htmlMitigation, Vendor Advisory
- https://www.debian.org/security/2023/dsa-5334Third Party Advisory
- https://docs.varnish-software.com/security/VSV00011Mitigation, Vendor Advisory
- https://lists.debian.org/debian-lts-announce/2022/11/msg00036.htmlMailing List, Third Party Advisory
- https://varnish-cache.org/security/VSV00011.htmlMitigation, Vendor Advisory
- https://www.debian.org/security/2023/dsa-5334Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-45060?
How severe is CVE-2022-45060?
How do I fix CVE-2022-45060?
Are you affected by CVE-2022-45060?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST