CVE-2022-45060

HIGH

Published Nov 9, 20223y ago · Modified Jun 17, 20261w ago

7.5 CVSS 3.1

High

Published Nov 9, 2022 3y ago

Last Modified Jun 17, 2026 1w ago

Description

An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

CVSS Details

Base Score

7.5

Exploitability

3.9

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality None

Integrity High

Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-20 Improper Input Validation Validation

Affected Products 63

Vendor	Product	Version	Range
varnish-software	varnish_cache	*	≥6.0.0 – <6.0.11
varnish-software	varnish_cache_plus	6.0.0	any
varnish-software	varnish_cache_plus	6.0.0	any
varnish-software	varnish_cache_plus	6.0.0	any
varnish-software	varnish_cache_plus	6.0.0	any
varnish-software	varnish_cache_plus	6.0.1	any
varnish-software	varnish_cache_plus	6.0.1	any
varnish-software	varnish_cache_plus	6.0.1	any
varnish-software	varnish_cache_plus	6.0.1	any
varnish-software	varnish_cache_plus	6.0.1	any
varnish-software	varnish_cache_plus	6.0.2	any
varnish-software	varnish_cache_plus	6.0.3	any
varnish-software	varnish_cache_plus	6.0.3	any
varnish-software	varnish_cache_plus	6.0.3	any
varnish-software	varnish_cache_plus	6.0.3	any
varnish-software	varnish_cache_plus	6.0.3	any
varnish-software	varnish_cache_plus	6.0.3	any
varnish-software	varnish_cache_plus	6.0.3	any
varnish-software	varnish_cache_plus	6.0.3	any
varnish-software	varnish_cache_plus	6.0.3	any
varnish-software	varnish_cache_plus	6.0.4	any
varnish-software	varnish_cache_plus	6.0.4	any
varnish-software	varnish_cache_plus	6.0.4	any
varnish-software	varnish_cache_plus	6.0.5	any
varnish-software	varnish_cache_plus	6.0.5	any
varnish-software	varnish_cache_plus	6.0.5	any
varnish-software	varnish_cache_plus	6.0.6	any
varnish-software	varnish_cache_plus	6.0.6	any
varnish-software	varnish_cache_plus	6.0.6	any
varnish-software	varnish_cache_plus	6.0.6	any
varnish-software	varnish_cache_plus	6.0.6	any
varnish-software	varnish_cache_plus	6.0.6	any
varnish-software	varnish_cache_plus	6.0.6	any
varnish-software	varnish_cache_plus	6.0.6	any
varnish-software	varnish_cache_plus	6.0.6	any
varnish-software	varnish_cache_plus	6.0.6	any
varnish-software	varnish_cache_plus	6.0.7	any
varnish-software	varnish_cache_plus	6.0.7	any
varnish-software	varnish_cache_plus	6.0.7	any
varnish-software	varnish_cache_plus	6.0.8	any
varnish-software	varnish_cache_plus	6.0.8	any
varnish-software	varnish_cache_plus	6.0.8	any
varnish-software	varnish_cache_plus	6.0.8	any
varnish-software	varnish_cache_plus	6.0.8	any
varnish-software	varnish_cache_plus	6.0.8	any
varnish-software	varnish_cache_plus	6.0.8	any
varnish-software	varnish_cache_plus	6.0.9	any
varnish-software	varnish_cache_plus	6.0.9	any
varnish-software	varnish_cache_plus	6.0.9	any
varnish-software	varnish_cache_plus	6.0.9	any
varnish-software	varnish_cache_plus	6.0.9	any
varnish-software	varnish_cache_plus	6.0.9	any
varnish-software	varnish_cache_plus	6.0.9	any
varnish-software	varnish_cache_plus	6.0.10	any
varnish-software	varnish_cache_plus	6.0.10	any
varnish_cache_project	varnish_cache	*	≥5.0.0 – <6.0.11
varnish_cache_project	varnish_cache	*	≥7.0.0 – <7.1.2
varnish_cache_project	varnish_cache	7.2.0	any
fedoraproject	fedora	35	any
fedoraproject	fedora	36	any
fedoraproject	fedora	37	any
debian	debian_linux	10.0	any
debian	debian_linux	11.0	any

References 7

docs.varnish-software.com https://docs.varnish-software.com/security/VSV00011

MitigationVendor Advisory
lists.debian.org https://lists.debian.org/debian-lts-announce/2022/11/msg00036.html

Mailing ListThird Party Advisory
lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6ZMOZVBLZXHEV5VRW4I4SOWLQEK5OF5/
lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/
lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XGF6LFTHXCSYMYUX5HLMVXQH3WHCSFLU/
varnish-cache.org https://varnish-cache.org/security/VSV00011.html

MitigationVendor Advisory
debian.org https://www.debian.org/security/2023/dsa-5334

Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.