CVE-2022-45060

HIGH

Varnish Cache 5.x 6.x < 6.0.11 7.x < 7.1.2 7.2.x < 7.2.1 - HTTP Request Forgery via HTTP/2 Pseudo-Headers

Title source: llm
STIX 2.1

Description

An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

References (7)

Core 7
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/11/msg00036.html
Third Party Advisory vendor-advisory
https://www.debian.org/security/2023/dsa-5334

Scores

CVSS v3 7.5
EPSS 0.0086
EPSS Percentile 75.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-20
Status published
Products (15)
debian/debian_linux 10.0
debian/debian_linux 11.0
fedoraproject/fedora 35
fedoraproject/fedora 36
fedoraproject/fedora 37
varnish-software/varnish_cache 6.0.0 - 6.0.11
varnish-software/varnish_cache_plus 6.0.0 (4 CPE variants)
varnish-software/varnish_cache_plus 6.0.1 r1 (5 CPE variants)
varnish-software/varnish_cache_plus 6.0.2 r1
varnish-software/varnish_cache_plus 6.0.3 r1 (9 CPE variants)
... and 5 more
Published Nov 09, 2022
Tracked Since Feb 18, 2026