CVE-2022-45059
published 2022-11-09CVE-2022-45059: An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
1.20%
64.3th percentile
An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | varnish | < varnish 7.1.1-1.1 (bookworm) | varnish 7.1.1-1.1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| varnish-cache | varnish | >= 0 < 7.1.1-1.1 | 7.1.1-1.1 |
| varnish-cache | varnish | >= 0 < 7.1.1-1.1 | 7.1.1-1.1 |
| varnish-cache | varnish | >= 0 < 7.1.1-1.1 | 7.1.1-1.1 |
| varnish_cache_project | varnish_cache | — | — |
| varnish_cache_project | varnish_cache | >= 7.0.0 < 7.1.2 | 7.1.2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
varnish: Request Smuggling Vulnerability
vendor_redhat·2022-11-08·CVSS 7.5
CVE-2022-45059 [HIGH] CWE-444 varnish: Request Smuggling Vulnerability
varnish: Request Smuggling Vulnerability
An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.
Statement: The varnish package version as shipped with Red Hat Enterprise Linux 8 and 9 and also with Red Hat Software Collections are not affected by this issue. This vulnerability affects only varnish 7 versions, while the distributed packages are based on Varnish 6.0 LTS releases.
Package: varnish:6/varnish (Red Hat Enterprise Linux 8) - Not affected
Package: varnish (Red Hat Enterprise Linux 9) - Not affected
Package: rh-varnish6-varnish (Red Hat Softwa
Debian
CVE-2022-45059: varnish - An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1...
vendor_debian·2022·CVSS 7.5
CVE-2022-45059 [HIGH] CVE-2022-45059: varnish - An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1...
An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.
Scope: local
bookworm: resolved (fixed in 7.1.1-1.1)
bullseye: resolved
forky: resolved (fixed in 7.1.1-1.1)
sid: resolved (fixed in 7.1.1-1.1)
trixie: resolved (fixed in 7.1.1-1.1)
OSV
CVE-2022-45059: An issue was discovered in Varnish Cache 7
osv·2022-11-09·CVSS 7.5
CVE-2022-45059 [HIGH] CVE-2022-45059: An issue was discovered in Varnish Cache 7
An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.
GHSA
GHSA-p22x-6r5h-g873: An issue was discovered in Varnish Cache 7
ghsa_unreviewed·2022-11-09
CVE-2022-45059 [HIGH] CWE-444 GHSA-p22x-6r5h-g873: An issue was discovered in Varnish Cache 7
An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6ZMOZVBLZXHEV5VRW4I4SOWLQEK5OF5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XGF6LFTHXCSYMYUX5HLMVXQH3WHCSFLU/https://varnish-cache.org/security/VSV00010.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6ZMOZVBLZXHEV5VRW4I4SOWLQEK5OF5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XGF6LFTHXCSYMYUX5HLMVXQH3WHCSFLU/https://varnish-cache.org/security/VSV00010.html
2022-11-09
Published