{"api_version":"1","generated_at":"2026-04-23T01:14:48+00:00","cve":"CVE-2022-23959","urls":{"html":"https://cve.report/CVE-2022-23959","api":"https://cve.report/api/cve/CVE-2022-23959.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-23959","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-23959"},"summary":{"title":"CVE-2022-23959","description":"In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2022-01-26 01:15:00","updated_at":"2023-11-07 03:44:00"},"problem_types":["CWE-444"],"metrics":[],"references":[{"url":"https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html","name":"[debian-lts-announce] 20220214 [SECURITY] [DLA 2920-1] varnish security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2920-1] varnish security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/","name":"FEDORA-2022-2f14ec7663","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: varnish-6.6.2-2.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://docs.varnish-software.com/security/VSV00008/","name":"https://docs.varnish-software.com/security/VSV00008/","refsource":"MISC","tags":[],"title":"Varnish HTTP/1 Request Smuggling -\n    Varnish Software Documentation","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2022/dsa-5088","name":"DSA-5088","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5088-1 varnish","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://varnish-cache.org/security/VSV00008.html","name":"https://varnish-cache.org/security/VSV00008.html","refsource":"MISC","tags":[],"title":"VSV00008 Varnish HTTP/1 Request Smuggling Vulnerability — Varnish HTTP Cache","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/","name":"FEDORA-2022-2f14ec7663","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: varnish-6.6.2-2.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-23959","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23959","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"23959","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23959","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23959","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23959","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23959","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"varnish-software","cpe5":"varnich_cache","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23959","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"varnish-software","cpe5":"varnich_cache","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23959","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"varnish-software","cpe5":"varnich_cache","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"plus","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23959","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"varnish-software","cpe5":"varnich_cache","cpe6":"4.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23959","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"varnish-software","cpe5":"varnish_cache","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23959","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"varnish-software","cpe5":"varnish_cache_plus","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23959","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"varnish_cache_project","cpe5":"varnish_cache","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-23959","qid":"159626","title":"Oracle Enterprise Linux Security Update for varnish:6 (ELSA-2022-0418)"},{"cve":"CVE-2022-23959","qid":"179072","title":"Debian Security Update for varnish (DLA 2920-1)"},{"cve":"CVE-2022-23959","qid":"179098","title":"Debian Security Update for varnish (DSA 5088-1)"},{"cve":"CVE-2022-23959","qid":"182438","title":"Debian Security Update for varnish (CVE-2022-23959)"},{"cve":"CVE-2022-23959","qid":"198827","title":"Ubuntu Security Notification for Varnish Cache Vulnerabilities (USN-5474-1)"},{"cve":"CVE-2022-23959","qid":"240061","title":"Red Hat Update for varnish:6 (RHSA-2022:0418)"},{"cve":"CVE-2022-23959","qid":"240063","title":"Red Hat Update for varnish:6 (RHSA-2022:0422)"},{"cve":"CVE-2022-23959","qid":"240064","title":"Red Hat Update for varnish:6 (RHSA-2022:0421)"},{"cve":"CVE-2022-23959","qid":"240365","title":"Red Hat Update for rh-varnish6-varnish (RHSA-2022:4745)"},{"cve":"CVE-2022-23959","qid":"240438","title":"Red Hat Update for varnish:6 (RHSA-2022:0420)"},{"cve":"CVE-2022-23959","qid":"282392","title":"Fedora Security Update for varnish (FEDORA-2022-2f14ec7663)"},{"cve":"CVE-2022-23959","qid":"354047","title":"Amazon Linux Security Advisory for varnish : ALAS-2022-1632"},{"cve":"CVE-2022-23959","qid":"376890","title":"Alibaba Cloud Linux Security Update for varnish:6 (ALINUX3-SA-2022:0024)"},{"cve":"CVE-2022-23959","qid":"500720","title":"Alpine Linux Security Update for varnish"},{"cve":"CVE-2022-23959","qid":"501789","title":"Alpine Linux Security Update for varnish"},{"cve":"CVE-2022-23959","qid":"502036","title":"Alpine Linux Security Update for varnish"},{"cve":"CVE-2022-23959","qid":"504494","title":"Alpine Linux Security Update for varnish"},{"cve":"CVE-2022-23959","qid":"690775","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for varnish (b0c83e1a-8153-11ec-84f9-641c67a117d8)"},{"cve":"CVE-2022-23959","qid":"940449","title":"AlmaLinux Security Update for varnish:6 (ALSA-2022:0418)"},{"cve":"CVE-2022-23959","qid":"960809","title":"Rocky Linux Security Update for varnish:6 (RLSA-2022:0418)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2022-23959","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://varnish-cache.org/security/VSV00008.html","refsource":"MISC","name":"https://varnish-cache.org/security/VSV00008.html"},{"url":"https://docs.varnish-software.com/security/VSV00008/","refsource":"MISC","name":"https://docs.varnish-software.com/security/VSV00008/"},{"refsource":"MLIST","name":"[debian-lts-announce] 20220214 [SECURITY] [DLA 2920-1] varnish security update","url":"https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html"},{"refsource":"FEDORA","name":"FEDORA-2022-2f14ec7663","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/"},{"refsource":"DEBIAN","name":"DSA-5088","url":"https://www.debian.org/security/2022/dsa-5088"}]}},"nvd":{"publishedDate":"2022-01-26 01:15:00","lastModifiedDate":"2023-11-07 03:44:00","problem_types":["CWE-444"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":9.1,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":6.4},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:varnish-software:varnich_cache:4.1:*:*:*:lts:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:varnish-software:varnich_cache:*:*:*:*:plus:*:*:*","versionStartIncluding":"4.1.1","versionEndExcluding":"4.1.11r6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:varnish-software:varnich_cache:*:*:*:*:-:*:*:*","versionStartIncluding":"1.0.0","versionEndExcluding":"6.6.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:varnish_cache_project:varnish_cache:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0.0","versionEndExcluding":"7.0.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:lts:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.0.10","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:varnish-software:varnish_cache_plus:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.0.9r4","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"23959","Ordinal":"227042","Title":"CVE-2022-23959","CVE":"CVE-2022-23959","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"23959","Ordinal":"1","NoteData":"In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.","Type":"Description","Title":null},{"CveYear":"2022","CveId":"23959","Ordinal":"2","NoteData":"2022-01-25","Type":"Other","Title":"Published"},{"CveYear":"2022","CveId":"23959","Ordinal":"3","NoteData":"2022-02-13","Type":"Other","Title":"Modified"}]}}}