VDB
CVE-2022-45060
CVE-2022-45060
PUBLISHED
An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.
EPSS 0.86% · 75.3th percentile
Risk Scores
EPSS Score
0.86%
75.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | varnish | 5.0.0, 7.0.0, 7.2.0 |
| Bitnami | varnish | 5.0.0, 7.0.0, 7.2.0 |
Timeline
- Nov 8, 2022 CVE Published
- Nov 9, 2022 EPSS Score
- Dec 22, 2022 EPSS Score
- Feb 3, 2023 EPSS Score
- Mar 18, 2023 EPSS Score
- Apr 30, 2023 EPSS Score
- Jun 12, 2023 EPSS Score
- Jul 25, 2023 EPSS Score
- Sep 6, 2023 EPSS Score
- Oct 19, 2023 EPSS Score
- Jan 13, 2024 EPSS Score
- Feb 25, 2024 EPSS Score
References
- https://docs.varnish-software.com/security/VSV00011 url
- https://lists.debian.org/debian-lts-announce/2022/11/msg00036.html url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6ZMOZVBLZXHEV5VRW4I4SOWLQEK5OF5/ url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/ url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XGF6LFTHXCSYMYUX5HLMVXQH3WHCSFLU/ url
- https://varnish-cache.org/security/VSV00011.html url
- https://www.debian.org/security/2023/dsa-5334 url
- https://nvd.nist.gov/vuln/detail/CVE-2022-45060 url