CVE-2022-45060

NameCVE-2022-45060
DescriptionAn HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3208-1, DSA-5334-1
Debian Bugs1023751

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
varnish (PTS)buster6.1.1-1+deb10u3vulnerable
buster (security)6.1.1-1+deb10u4fixed
bullseye6.5.1-1+deb11u2vulnerable
bullseye (security)6.5.1-1+deb11u3fixed
bookworm, sid7.1.1-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
varnishsourcebuster6.1.1-1+deb10u4DLA-3208-1
varnishsourcebullseye6.5.1-1+deb11u3DSA-5334-1
varnishsource(unstable)7.1.1-1.11023751

Notes

https://varnish-cache.org/security/VSV00011.html
https://github.com/varnishcache/varnish-cache/commit/515a93df894430767073ccd8265497b6b25b54b5
Search for package or bug name: Reporting problems