CVE-2022-23959 — HTTP Request Smuggling in Varnich Cache

CWE-444 — HTTP Request Smuggling8 documents7 sources

Severity

9.1CRITICALNVD

OSV7.5

EPSS

0.3%

top 42.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Varnish-cache Varnish Varnish-software Varnich Cache Varnish-software Varnish Cache +4 more

Timeline

PublishedJan 26

Latest updateJun 8

Description

In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages6 packages

▶NVDvarnish-software/varnish_cache_plus6.0.0 — 6.0.9r4

▶NVDvarnish-software/varnich_cache1.0.0 — 6.6.2+2

▶NVDvarnish-software/varnish_cache6.0.0 — 6.0.10

▶NVDvarnish_cache_project/varnish_cache7.0.0 — 7.0.2

▶Debianvarnish-cache/varnish< 6.5.1-1+deb11u2+3

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 35

🔴Vulnerability Details

OSV

varnish vulnerabilities↗2022-06-08

▶

GHSA

GHSA-fcqv-r8cv-f88h: In Varnish Cache before 6↗2022-02-08

▶

OSV

CVE-2022-23959: In Varnish Cache before 6↗2022-01-26

▶

CVEList

CVE-2022-23959: In Varnish Cache before 6↗2022-01-26

▶

📋Vendor Advisories

Ubuntu

Varnish Cache vulnerabilities↗2022-06-08

▶

Red Hat

varnish: HTTP/1 request smuggling vulnerability↗2022-01-25

▶

Debian

CVE-2022-23959: varnish - In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before...↗2022

▶