CVE-2022-45060

high-risk
Published 2022-11-09

An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

Do I need to act?

-
0.95% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (20)

Varnish Cache
Varnish Cache Plus
Varnish Cache Plus
Varnish Cache Plus
Varnish Cache Plus
Varnish Cache Plus
Varnish Cache Plus
Varnish Cache Plus
Varnish Cache Plus
Varnish Cache Plus
Varnish Cache Plus
Varnish Cache Plus
Varnish Cache Plus
Varnish Cache Plus
Varnish Cache Plus
Varnish Cache Plus
Varnish Cache Plus
Varnish Cache Plus
Varnish Cache Plus
Varnish Cache Plus

Affected Vendors

Debian Fedoraproject Varnish Cache Project Varnish-Software

References (14)

Mitigation https://docs.varnish-software.com/security/VSV00011
Mailing List https://lists.debian.org/debian-lts-announce/2022/11/msg00036.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Mitigation https://varnish-cache.org/security/VSV00011.html
Third Party Advisory https://www.debian.org/security/2023/dsa-5334
Mitigation https://docs.varnish-software.com/security/VSV00011
Mailing List https://lists.debian.org/debian-lts-announce/2022/11/msg00036.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Mitigation https://varnish-cache.org/security/VSV00011.html
Third Party Advisory https://www.debian.org/security/2023/dsa-5334
56
/ 100
high-risk
Severity 26/34 · High
Exploitability 3/34 · Minimal
Exposure 27/34 · High