CVE-2022-45060

Summary

CVE	CVE-2022-45060
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-11-09 06:15:00 UTC
Updated	2023-11-07 03:54:00 UTC
Description	An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

Risk And Classification

Problem Types: NVD-CWE-noinfo

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	11.0	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Operating System	Fedoraproject	Fedora	36	All	All	All
Operating System	Fedoraproject	Fedora	37	All	All	All
Application	Varnish-software	Varnish Cache	All	All	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.0	-	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.0	r0	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.0	r1	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.0	r2	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.1	r1	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.1	r2	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.1	r3	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.1	r4	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.1	r5	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.10	r1	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.10	r2	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.2	r1	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.3	r1	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.3	r2	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.3	r3	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.3	r4	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.3	r5	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.3	r6	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.3	r7	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.3	r8	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.3	r9	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.4	r1	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.4	r2	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.4	r3	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.5	r1	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.5	r2	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.5	r3	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.6	r1	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.6	r10	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.6	r2	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.6	r3	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.6	r4	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.6	r5	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.6	r6	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.6	r7	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.6	r8	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.6	r9	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.7	r1	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.7	r2	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.7	r3	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.8	r1	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.8	r2	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.8	r3	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.8	r4	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.8	r5	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.8	r6	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.8	r7	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.9	r1	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.9	r2	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.9	r3	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.9	r4	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.9	r5	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.9	r6	All	All
Application	Varnish-software	Varnish Cache Plus	6.0.9	r7	All	All
Application	Varnish Cache Project	Varnish Cache	All	All	All	All
Application	Varnish Cache Project	Varnish Cache	7.2.0	All	All	All

References

Reference	Source	Link	Tags
Varnish HTTP/2 Request Forgery - Varnish Software Documentation	MISC	docs.varnish-software.com
[SECURITY] [DLA 3208-1] varnish security update	MLIST	lists.debian.org
[SECURITY] Fedora 35 Update: varnish-6.6.2-3.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 36 Update: varnish-7.0.3-2.fc36 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 36 Update: varnish-7.0.3-2.fc36 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
VSV00011 Varnish HTTP/2 Request Forgery Vulnerability — Varnish HTTP Cache	MISC	varnish-cache.org
Debian -- Security Information -- DSA-5334-1 varnish	DEBIAN	www.debian.org
[SECURITY] Fedora 35 Update: varnish-6.6.2-3.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 37 Update: varnish-modules-0.20.0-4.fc37 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 37 Update: varnish-modules-0.20.0-4.fc37 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

160332 Oracle Enterprise Linux Security Update for varnish:6 (ELSA-2022-8649)
160334 Oracle Enterprise Linux Security Update for varnish (ELSA-2022-8643)
181251 Debian Security Update for varnish (DLA 3208-1)
181519 Debian Security Update for varnish (DSA 5334-1)
182678 Debian Security Update for varnish (CVE-2022-45060)
240940 Red Hat Update for varnish (RHSA-2022:8643)
240942 Red Hat Update for varnish:6 (RHSA-2022:8645)
240943 Red Hat Update for varnish:6 (RHSA-2022:8649)
240946 Red Hat Update for varnish (RHSA-2022:8644)
240948 Red Hat Update for varnish:6 (RHSA-2022:8650)
241181 Red Hat Update for rh-varnish6-varnish (RHSA-2023:0673)
283337 Fedora Security Update for varnish (FEDORA-2022-babfbc2622)
283349 Fedora Security Update for varnish (FEDORA-2022-99c5ddb2ae)
283422 Fedora Security Update for varnish (FEDORA-2022-0d5dcc031e)
377819 Alibaba Cloud Linux Security Update for varnish:6 (ALINUX3-SA-2022:0187)
503136 Alpine Linux Security Update for varnish
505949 Alpine Linux Security Update for varnish
510804 Alpine Linux Security Update for varnish
940851 AlmaLinux Security Update for varnish:6 (ALSA-2022:8649)
940852 AlmaLinux Security Update for varnish (ALSA-2022:8643)
960466 Rocky Linux Security Update for varnish:6 (RLSA-2022:8649)
960639 Rocky Linux Security Update for varnish (RLSA-2022:8643)