Lucene search

[email protected]NVD:CVE-2022-45060

HistoryNov 09, 2022 - 6:15 a.m.

CVE-2022-45060

2022-11-0906:15:09

[email protected]

web.nvd.nist.gov

cve-2022-45060

varnish cache

http/2

http/1

security issue

server vulnerability

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.003

Percentile

69.6%

JSON

An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

Affected configurations

Nvd

Node

varnish-softwarevarnish_cacheRange6.0.0–6.0.11lts

varnish-softwarevarnish_cache_plusMatch6.0.0-

varnish-softwarevarnish_cache_plusMatch6.0.0r0

varnish-softwarevarnish_cache_plusMatch6.0.0r1

varnish-softwarevarnish_cache_plusMatch6.0.0r2

varnish-softwarevarnish_cache_plusMatch6.0.1r1

varnish-softwarevarnish_cache_plusMatch6.0.1r2

varnish-softwarevarnish_cache_plusMatch6.0.1r3

varnish-softwarevarnish_cache_plusMatch6.0.1r4

varnish-softwarevarnish_cache_plusMatch6.0.1r5

varnish-softwarevarnish_cache_plusMatch6.0.2r1

varnish-softwarevarnish_cache_plusMatch6.0.3r1

varnish-softwarevarnish_cache_plusMatch6.0.3r2

varnish-softwarevarnish_cache_plusMatch6.0.3r3

varnish-softwarevarnish_cache_plusMatch6.0.3r4

varnish-softwarevarnish_cache_plusMatch6.0.3r5

varnish-softwarevarnish_cache_plusMatch6.0.3r6

varnish-softwarevarnish_cache_plusMatch6.0.3r7

varnish-softwarevarnish_cache_plusMatch6.0.3r8

varnish-softwarevarnish_cache_plusMatch6.0.3r9

varnish-softwarevarnish_cache_plusMatch6.0.4r1

varnish-softwarevarnish_cache_plusMatch6.0.4r2

varnish-softwarevarnish_cache_plusMatch6.0.4r3

varnish-softwarevarnish_cache_plusMatch6.0.5r1

varnish-softwarevarnish_cache_plusMatch6.0.5r2

varnish-softwarevarnish_cache_plusMatch6.0.5r3

varnish-softwarevarnish_cache_plusMatch6.0.6r1

varnish-softwarevarnish_cache_plusMatch6.0.6r10

varnish-softwarevarnish_cache_plusMatch6.0.6r2

varnish-softwarevarnish_cache_plusMatch6.0.6r3

varnish-softwarevarnish_cache_plusMatch6.0.6r4

varnish-softwarevarnish_cache_plusMatch6.0.6r5

varnish-softwarevarnish_cache_plusMatch6.0.6r6

varnish-softwarevarnish_cache_plusMatch6.0.6r7

varnish-softwarevarnish_cache_plusMatch6.0.6r8

varnish-softwarevarnish_cache_plusMatch6.0.6r9

varnish-softwarevarnish_cache_plusMatch6.0.7r1

varnish-softwarevarnish_cache_plusMatch6.0.7r2

varnish-softwarevarnish_cache_plusMatch6.0.7r3

varnish-softwarevarnish_cache_plusMatch6.0.8r1

varnish-softwarevarnish_cache_plusMatch6.0.8r2

varnish-softwarevarnish_cache_plusMatch6.0.8r3

varnish-softwarevarnish_cache_plusMatch6.0.8r4

varnish-softwarevarnish_cache_plusMatch6.0.8r5

varnish-softwarevarnish_cache_plusMatch6.0.8r6

varnish-softwarevarnish_cache_plusMatch6.0.8r7

varnish-softwarevarnish_cache_plusMatch6.0.9r1

varnish-softwarevarnish_cache_plusMatch6.0.9r2

varnish-softwarevarnish_cache_plusMatch6.0.9r3

varnish-softwarevarnish_cache_plusMatch6.0.9r4

varnish-softwarevarnish_cache_plusMatch6.0.9r5

varnish-softwarevarnish_cache_plusMatch6.0.9r6

varnish-softwarevarnish_cache_plusMatch6.0.9r7

varnish-softwarevarnish_cache_plusMatch6.0.10r1

varnish-softwarevarnish_cache_plusMatch6.0.10r2

varnish_cache_projectvarnish_cacheRange5.0.0–6.0.11

varnish_cache_projectvarnish_cacheRange7.0.0–7.1.2

varnish_cache_projectvarnish_cacheMatch7.2.0

Node

fedoraprojectfedoraMatch35

fedoraprojectfedoraMatch36

fedoraprojectfedoraMatch37

Node

debiandebian_linuxMatch10.0

debiandebian_linuxMatch11.0

References

docs.varnish-software.com/security/VSV00011

lists.debian.org/debian-lts-announce/2022/11/msg00036.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6ZMOZVBLZXHEV5VRW4I4SOWLQEK5OF5/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XGF6LFTHXCSYMYUX5HLMVXQH3WHCSFLU/

varnish-cache.org/security/VSV00011.html

www.debian.org/security/2023/dsa-5334

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.003

Percentile

69.6%

JSON

Related for NVD:CVE-2022-45060

nessus19 rocky2 redhat8 ubuntucve1 debian2 mageia1 veracode1 debiancve1 osv8 redhatcve1 oraclelinux2 almalinux2 cvelist1 prion1 cve1 openvas7 fedora4 redos1