HTTP Request Forgery Vulnerability in Varnish Cache by Varnish Software
CVE-2022-45060

7.5HIGH

Key Information:

Vendor: Varnish-software
Status: Varnish Cache Plus; Varnish Cache
Vendor: CVE Published:; 9 November 2022

🔔 Create Varnish-software Vulnerability Alert

What is CVE-2022-45060?

An HTTP Request Forgery vulnerability was identified in Varnish Cache, affecting versions 5.x, 6.x, 7.x, and 7.2.x prior to specific updates. This vulnerability allows an attacker to introduce invalid characters through HTTP/2 pseudo-headers, leading to malformed HTTP/1 requests directed to backend servers. Such malformed requests could potentially exploit existing vulnerabilities on those servers, posing a significant security risk.

References

https://varnish-cache.org/security/VSV00011.html

https://docs.varnish-software.com/security/VSV00011

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 9, 2022
Vulnerability Reserved
Nov 9, 2022

CVE-2022-45060 Data

JSON