CVE-2022-45060 — Improper Input Validation in Varnish Cache

CWE-20 — Improper Input Validation CWE-918 — Server-Side Request Forgery7 documents7 sources

Severity

7.5HIGHNVD

EPSS

1.0%

top 23.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Varnish-cache Varnish Varnish-software Varnish Cache Varnish Cache Project Varnish Cache +3 more

Timeline

PublishedNov 9

Latest updateMar 26

Description

An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDvarnish-software/varnish_cache6.0.0 — 6.0.11

▶NVDvarnish_cache_project/varnish_cache5.0.0 — 6.0.11+2

▶Debianvarnish-cache/varnish< 6.5.1-1+deb11u3+3

▶NVDvarnish-software/varnish_cache_plus11 versions+10

Also affects: Debian Linux 10.0, 11.0, Fedora 35, 36, 37

🔴Vulnerability Details

OSV

CVE-2022-45060: An HTTP Request Forgery issue was discovered in Varnish Cache 5↗2022-11-09

▶

GHSA

GHSA-78x9-jhxm-553x: An HTTP Request Forgery issue was discovered in Varnish Cache 5↗2022-11-09

▶

CVEList

CVE-2022-45060: An HTTP Request Forgery issue was discovered in Varnish Cache 5↗2022-11-09

▶

📋Vendor Advisories

Ubuntu

Varnish vulnerability↗2025-03-26

▶

Red Hat

varnish: Request Forgery Vulnerability↗2022-11-08

▶

Debian

CVE-2022-45060: varnish - An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before...↗2022

▶