CVE-2022-23959
CRITICALVarnish Cache HTTP Request Smuggling (6.6.2, 7.0.2, 6.0.10, 4.1.11r6, 6.0.9r4)
Title source: llmDescription
In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.
References (5)
Core 5
Core References
Mitigation, Vendor Advisory x_refsource_misc
https://varnish-cache.org/security/VSV00008.html
Mitigation, Vendor Advisory x_refsource_misc
https://docs.varnish-software.com/security/VSV00008/
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2022/dsa-5088
Scores
CVSS v3
9.1
EPSS
0.0188
EPSS Percentile
76.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-444
Status
published
Products (10)
debian/debian_linux
9.0
debian/debian_linux
10.0
debian/debian_linux
11.0
fedoraproject/fedora
35
varnish-software/varnich_cache
4.1
varnish-software/varnich_cache
1.0.0 - 6.6.2
varnish-software/varnich_cache
4.1.1 - 4.1.11r6
varnish-software/varnish_cache
6.0.0 - 6.0.10
varnish-software/varnish_cache_plus
6.0.0 - 6.0.9r4
varnish_cache_project/varnish_cache
7.0.0 - 7.0.2
Published
Jan 26, 2022
Tracked Since
Feb 18, 2026