CVE-2022-38150

Description

In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1.

How to fix CVE-2022-38150

To remediate CVE-2022-38150, upgrade the affected package to a fixed version below.

Alpine/varnish—upgrade to 7.1.1-r0 or later
—upgrade to 7.0.1 or later
—upgrade to 7.1.1-1 or later

Is CVE-2022-38150 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 7.1.1-r0
>= 7.0.0, < 7.0.1, >= 7.0.1, < 7.0.2, >= 7.0.2, < 7.0.3, >= 7.1.0, < 7.1.1
from 0, < 7.1.1-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (7)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2022-38150
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-38150
WEBlists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/
WEB