CVE-2022-45060

NameCVE-2022-45060
DescriptionAn HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3208-1, DSA-5334-1
Debian Bugs1023751

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
varnish (PTS)jessie, jessie (lts)4.0.2-1+deb8u1fixed
stretch (security), stretch (lts), stretch5.0.0-7+deb9u3vulnerable
buster (security), buster, buster (lts)6.1.1-1+deb10u4fixed
bullseye (security), bullseye6.5.1-1+deb11u3fixed
bookworm7.1.1-1.1fixed
sid, trixie7.6.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
varnishsourcejessie(not affected)
varnishsourcebuster6.1.1-1+deb10u4DLA-3208-1
varnishsourcebullseye6.5.1-1+deb11u3DSA-5334-1
varnishsource(unstable)7.1.1-1.11023751

Notes

https://varnish-cache.org/security/VSV00011.html
https://github.com/varnishcache/varnish-cache/commit/515a93df894430767073ccd8265497b6b25b54b5
[stretch] - varnish <ignored> (HTTP/2 support is marked experimental in 5.0 and enabling is not recommended)
[jessie] - varnish <not-affected> (HTTP/2 support added in 5.0)

Search for package or bug name: Reporting problems