cbcvebase.
CVE-2022-45060
published 2022-11-09

CVE-2022-45060: An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce…

PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.93%
56.1th percentile
An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

Affected

25 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianvarnish< varnish 7.1.1-1.1 (bookworm)varnish 7.1.1-1.1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
varnish-cachevarnish>= 0 < 6.5.1-1+deb11u36.5.1-1+deb11u3
varnish-cachevarnish>= 0 < 7.1.1-1.17.1.1-1.1
varnish-cachevarnish>= 0 < 7.1.1-1.17.1.1-1.1
varnish-cachevarnish>= 0 < 7.1.1-1.17.1.1-1.1
varnish-softwarevarnish_cache>= 6.0.0 < 6.0.116.0.11
varnish-softwarevarnish_cache_plus
varnish-softwarevarnish_cache_plus
varnish-softwarevarnish_cache_plus
varnish-softwarevarnish_cache_plus
varnish-softwarevarnish_cache_plus
varnish-softwarevarnish_cache_plus
varnish-softwarevarnish_cache_plus
varnish-softwarevarnish_cache_plus
varnish-softwarevarnish_cache_plus
varnish-softwarevarnish_cache_plus
varnish-softwarevarnish_cache_plus
varnish_cache_projectvarnish_cache
varnish_cache_projectvarnish_cache>= 5.0.0 < 6.0.116.0.11
varnish_cache_projectvarnish_cache>= 7.0.0 < 7.1.27.1.2

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.