All the vulnerabilites related to varnish-software - varnish_cache_plus
cve-2022-45060
Vulnerability from cvelistv5
Published
2022-11-09 00:00
Modified
2024-08-03 14:01
Severity ?
EPSS score ?
Summary
An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:01:31.453Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://varnish-cache.org/security/VSV00011.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.varnish-software.com/security/VSV00011"
},
{
"name": "FEDORA-2022-babfbc2622",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6ZMOZVBLZXHEV5VRW4I4SOWLQEK5OF5/"
},
{
"name": "FEDORA-2022-0d5dcc031e",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XGF6LFTHXCSYMYUX5HLMVXQH3WHCSFLU/"
},
{
"name": "FEDORA-2022-99c5ddb2ae",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/"
},
{
"name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3208-1] varnish security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00036.html"
},
{
"name": "DSA-5334",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5334"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-30T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://varnish-cache.org/security/VSV00011.html"
},
{
"url": "https://docs.varnish-software.com/security/VSV00011"
},
{
"name": "FEDORA-2022-babfbc2622",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6ZMOZVBLZXHEV5VRW4I4SOWLQEK5OF5/"
},
{
"name": "FEDORA-2022-0d5dcc031e",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XGF6LFTHXCSYMYUX5HLMVXQH3WHCSFLU/"
},
{
"name": "FEDORA-2022-99c5ddb2ae",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/"
},
{
"name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3208-1] varnish security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00036.html"
},
{
"name": "DSA-5334",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5334"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-45060",
"datePublished": "2022-11-09T00:00:00",
"dateReserved": "2022-11-09T00:00:00",
"dateUpdated": "2024-08-03T14:01:31.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23959
Vulnerability from cvelistv5
Published
2022-01-26 00:38
Modified
2024-08-03 03:59
Severity ?
EPSS score ?
Summary
In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.
References
| ▼ | URL | Tags |
|---|---|---|
| https://varnish-cache.org/security/VSV00008.html | x_refsource_MISC | |
| https://docs.varnish-software.com/security/VSV00008/ | x_refsource_MISC | |
| https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html | mailing-list, x_refsource_MLIST | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/ | vendor-advisory, x_refsource_FEDORA | |
| https://www.debian.org/security/2022/dsa-5088 | vendor-advisory, x_refsource_DEBIAN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.263Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://varnish-cache.org/security/VSV00008.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.varnish-software.com/security/VSV00008/"
},
{
"name": "[debian-lts-announce] 20220214 [SECURITY] [DLA 2920-1] varnish security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html"
},
{
"name": "FEDORA-2022-2f14ec7663",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/"
},
{
"name": "DSA-5088",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5088"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-04T12:06:15",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://varnish-cache.org/security/VSV00008.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.varnish-software.com/security/VSV00008/"
},
{
"name": "[debian-lts-announce] 20220214 [SECURITY] [DLA 2920-1] varnish security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html"
},
{
"name": "FEDORA-2022-2f14ec7663",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/"
},
{
"name": "DSA-5088",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5088"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-23959",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://varnish-cache.org/security/VSV00008.html",
"refsource": "MISC",
"url": "https://varnish-cache.org/security/VSV00008.html"
},
{
"name": "https://docs.varnish-software.com/security/VSV00008/",
"refsource": "MISC",
"url": "https://docs.varnish-software.com/security/VSV00008/"
},
{
"name": "[debian-lts-announce] 20220214 [SECURITY] [DLA 2920-1] varnish security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html"
},
{
"name": "FEDORA-2022-2f14ec7663",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/"
},
{
"name": "DSA-5088",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5088"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-23959",
"datePublished": "2022-01-26T00:38:55",
"dateReserved": "2022-01-26T00:00:00",
"dateUpdated": "2024-08-03T03:59:23.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2022-11-09 06:15
Modified
2024-11-21 07:28
Severity ?
Summary
An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "CBC045A4-A594-490E-A5A1-C024E2A9A493",
"versionEndExcluding": "6.0.11",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "907C8317-4D77-4BE6-A561-E157DA4BF0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.0:r0:*:*:*:*:*:*",
"matchCriteriaId": "3A78BEAF-DCB4-4A4F-AF9A-C1D6BB7FE00A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.0:r1:*:*:*:*:*:*",
"matchCriteriaId": "A4852C23-2D75-4614-98AF-E9EC1E24F704",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.0:r2:*:*:*:*:*:*",
"matchCriteriaId": "F21417AD-D1B2-4743-8305-3602EC6CB079",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.1:r1:*:*:*:*:*:*",
"matchCriteriaId": "0E4B13AD-E08E-4966-9971-F720966FA6DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.1:r2:*:*:*:*:*:*",
"matchCriteriaId": "C5DF089D-3DE1-4B30-AADD-436B0096FB6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.1:r3:*:*:*:*:*:*",
"matchCriteriaId": "54CAEB07-9CDB-44D7-A406-4055A116B47F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.1:r4:*:*:*:*:*:*",
"matchCriteriaId": "4EAFF73E-D689-477D-9A8A-C17A53520418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.1:r5:*:*:*:*:*:*",
"matchCriteriaId": "39947153-84A8-4809-AAA3-89F7029E0040",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.2:r1:*:*:*:*:*:*",
"matchCriteriaId": "721C3CCE-D1AF-4461-8244-52E7D4DDEA05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.3:r1:*:*:*:*:*:*",
"matchCriteriaId": "489B9C78-A713-4F22-AEFE-009CE6D244DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.3:r2:*:*:*:*:*:*",
"matchCriteriaId": "722170D4-4A16-4775-8345-2EAF3C077B02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.3:r3:*:*:*:*:*:*",
"matchCriteriaId": "6A75CC70-D8FC-40DF-BE1E-63A41212766F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.3:r4:*:*:*:*:*:*",
"matchCriteriaId": "8D552773-5FA0-469F-AB77-67F3BE9A4C86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.3:r5:*:*:*:*:*:*",
"matchCriteriaId": "0D251D62-2E7A-41AB-933A-393A271DC6F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.3:r6:*:*:*:*:*:*",
"matchCriteriaId": "629A8693-92F3-44AC-979C-F5B1EA018E8D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.3:r7:*:*:*:*:*:*",
"matchCriteriaId": "2DE06940-396B-493C-9587-1C51352568AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.3:r8:*:*:*:*:*:*",
"matchCriteriaId": "52BB2290-9527-4A36-9F82-D490D5FB8AA2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.3:r9:*:*:*:*:*:*",
"matchCriteriaId": "10EE46DF-B1D8-4E7F-B81D-49BD4B6A93B3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.4:r1:*:*:*:*:*:*",
"matchCriteriaId": "CBD39D3C-0A89-4607-AAAA-BCA1ECDC4AAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.4:r2:*:*:*:*:*:*",
"matchCriteriaId": "C11F5566-F6B1-49D9-A261-62CD2D5E2AF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.4:r3:*:*:*:*:*:*",
"matchCriteriaId": "2F92A1F1-3233-4166-A407-47296344AC39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.5:r1:*:*:*:*:*:*",
"matchCriteriaId": "28E0D7CF-5DEB-41B4-AB1B-E2A0684290AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.5:r2:*:*:*:*:*:*",
"matchCriteriaId": "8FE1C128-2BDF-41E3-8068-50C903B91564",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.5:r3:*:*:*:*:*:*",
"matchCriteriaId": "1B252808-CBE2-4C72-917A-94238EAF2C8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.6:r1:*:*:*:*:*:*",
"matchCriteriaId": "C4CADC60-EE14-4540-85FD-8472891C67A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.6:r10:*:*:*:*:*:*",
"matchCriteriaId": "CC1221B2-7BF1-4E53-86AD-F2FFA3B32A2C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.6:r2:*:*:*:*:*:*",
"matchCriteriaId": "BC7A76CA-29CF-4483-B11E-746FA42DC2BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.6:r3:*:*:*:*:*:*",
"matchCriteriaId": "B14932A0-C394-4F92-A28C-5A95707A276E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.6:r4:*:*:*:*:*:*",
"matchCriteriaId": "3280D3CD-3794-476C-A795-0AFA049397F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.6:r5:*:*:*:*:*:*",
"matchCriteriaId": "48252690-1166-49E4-9958-9FEEA9BCFB4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.6:r6:*:*:*:*:*:*",
"matchCriteriaId": "B599595D-6448-45A3-B96E-A2A078B83D20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.6:r7:*:*:*:*:*:*",
"matchCriteriaId": "42957503-3960-4319-AE93-03769474C47B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.6:r8:*:*:*:*:*:*",
"matchCriteriaId": "B6D10046-700E-4711-BD4D-51EE1499715F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.6:r9:*:*:*:*:*:*",
"matchCriteriaId": "350EDDE8-D5DE-455B-A9AF-C94207F6A971",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.7:r1:*:*:*:*:*:*",
"matchCriteriaId": "15D3CB75-C092-4BD7-936A-114E8CB00C21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.7:r2:*:*:*:*:*:*",
"matchCriteriaId": "53188EBC-6C29-454A-9104-C8BDE36E3A18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.7:r3:*:*:*:*:*:*",
"matchCriteriaId": "718187D2-CCA6-4033-B366-2425E8BD9D17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.8:r1:*:*:*:*:*:*",
"matchCriteriaId": "D18E25AD-C4B6-44C4-9831-A4A1D63CAA2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.8:r2:*:*:*:*:*:*",
"matchCriteriaId": "64AA4107-764E-4420-8890-8448760009F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.8:r3:*:*:*:*:*:*",
"matchCriteriaId": "A29AEE1F-A65E-427B-B19E-534DFF87B9C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.8:r4:*:*:*:*:*:*",
"matchCriteriaId": "8E4062B5-D416-46ED-94D9-865930B20C16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.8:r5:*:*:*:*:*:*",
"matchCriteriaId": "13D952FC-83C4-494A-AFD5-AD2CC253C823",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.8:r6:*:*:*:*:*:*",
"matchCriteriaId": "76F3E32E-D9EF-4E21-88EE-2133A8816DC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.8:r7:*:*:*:*:*:*",
"matchCriteriaId": "71718C54-D482-4DD0-B72A-0F0758BC0E69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.9:r1:*:*:*:*:*:*",
"matchCriteriaId": "3B51C4A5-741B-43F9-96ED-2623CFB28B07",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.9:r2:*:*:*:*:*:*",
"matchCriteriaId": "FCB5C8BB-9090-44C5-A9F1-50A81F807A2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.9:r3:*:*:*:*:*:*",
"matchCriteriaId": "E443CD72-0D43-4DC5-9380-E9ADC5A86ACF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.9:r4:*:*:*:*:*:*",
"matchCriteriaId": "37D55455-8529-481A-A1AC-28CFAFCA14F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.9:r5:*:*:*:*:*:*",
"matchCriteriaId": "363F246A-A4ED-42BA-B441-50F58E83E75D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.9:r6:*:*:*:*:*:*",
"matchCriteriaId": "709EC77A-852D-461D-8AF2-BF725F6B2B9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.9:r7:*:*:*:*:*:*",
"matchCriteriaId": "106D4599-E3DA-4B0A-9CA9-DC8C59639DB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.10:r1:*:*:*:*:*:*",
"matchCriteriaId": "7B72DE86-F3BD-4A75-BBA0-6BBB6D08187D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:6.0.10:r2:*:*:*:*:*:*",
"matchCriteriaId": "98E391AB-C40B-465E-8ADB-78C4504113D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish_cache_project:varnish_cache:*:*:*:*:*:*:*:*",
"matchCriteriaId": "02FB317B-A23B-448C-9D79-1E06E2CF9F38",
"versionEndExcluding": "6.0.11",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish_cache_project:varnish_cache:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A1E56F91-6381-4EB6-93CD-1BC499BD24F6",
"versionEndExcluding": "7.1.2",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish_cache_project:varnish_cache:7.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "22060FA9-37E1-44F2-AD21-51440D679AA1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
"matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
"matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema de HTTP Request Forgery en Varnish Cache 5.x y 6.x anteriores a 6.0.11, 7.x anteriores a 7.1.2 y 7.2.x anteriores a 7.2.1. Un atacante puede introducir caracteres a trav\u00e9s de pseudoencabezados HTTP/2 que no son v\u00e1lidos en el contexto de una l\u00ednea de solicitud HTTP/1, lo que hace que el servidor Varnish produzca solicitudes HTTP/1 no v\u00e1lidas al backend. Esto, a su vez, podr\u00eda usarse para explotar vulnerabilidades en un servidor detr\u00e1s del servidor Varnish. Nota: la serie 6.0.x LTS (anterior a 6.0.11) se ve afectada."
}
],
"id": "CVE-2022-45060",
"lastModified": "2024-11-21T07:28:41.880",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-09T06:15:09.830",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://docs.varnish-software.com/security/VSV00011"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00036.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6ZMOZVBLZXHEV5VRW4I4SOWLQEK5OF5/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XGF6LFTHXCSYMYUX5HLMVXQH3WHCSFLU/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://varnish-cache.org/security/VSV00011.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5334"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://docs.varnish-software.com/security/VSV00011"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00036.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6ZMOZVBLZXHEV5VRW4I4SOWLQEK5OF5/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XGF6LFTHXCSYMYUX5HLMVXQH3WHCSFLU/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://varnish-cache.org/security/VSV00011.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5334"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-26 01:15
Modified
2024-11-21 06:49
Severity ?
Summary
In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| varnish-software | varnich_cache | * | |
| varnish-software | varnich_cache | * | |
| varnish-software | varnich_cache | 4.1 | |
| varnish-software | varnish_cache | * | |
| varnish-software | varnish_cache_plus | * | |
| varnish_cache_project | varnish_cache | * | |
| fedoraproject | fedora | 35 | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 | |
| debian | debian_linux | 11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:varnish-software:varnich_cache:*:*:*:*:-:*:*:*",
"matchCriteriaId": "46189326-29F3-4641-ADB0-5355B69776D1",
"versionEndExcluding": "6.6.2",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnich_cache:*:*:*:*:plus:*:*:*",
"matchCriteriaId": "409748DC-967D-4843-8FE4-E06F75A4B459",
"versionEndExcluding": "4.1.11r6",
"versionStartIncluding": "4.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnich_cache:4.1:*:*:*:lts:*:*:*",
"matchCriteriaId": "9EE19451-5DA3-4F4B-B972-13ED93EE4446",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "5C4F2BA4-3275-4365-9F41-0D04320C383A",
"versionEndExcluding": "6.0.10",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:*:*:*:*:*:*:*:*",
"matchCriteriaId": "16AE4401-F65C-4246-98AA-AAAAEFA97D73",
"versionEndExcluding": "6.0.9r4",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:varnish_cache_project:varnish_cache:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1E0E1405-62BB-446D-A04B-0A312FB81E3E",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections."
},
{
"lang": "es",
"value": "En Varnish Cache versiones anteriores a 6.6.2 y 7.x versiones anteriores a 7.0.2, Varnish Cache 6.0 LTS versiones anteriores a 6.0.10, y Varnish Enterprise (Cache Plus) 4.1.x versiones anteriores a 4.1.11r6 y 6.0.x versiones anteriores a 6.0.9r4, puede producirse contrabando de peticiones para conexiones HTTP/1"
}
],
"id": "CVE-2022-23959",
"lastModified": "2024-11-21T06:49:32.090",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-26T01:15:07.900",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://docs.varnish-software.com/security/VSV00008/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://varnish-cache.org/security/VSV00008.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5088"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://docs.varnish-software.com/security/VSV00008/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://varnish-cache.org/security/VSV00008.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5088"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-444"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}