CVE-2022-45060

Description

An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

How to fix CVE-2022-45060

To remediate CVE-2022-45060, upgrade the affected package to a fixed version below.

• —upgrade to 7.2.1-r0 or later
• —upgrade to 6.0.11 or later
• —upgrade to 6.5.1-1+deb11u3 or later
• —upgrade to 6.5.1-1+deb11u3 or later

Is CVE-2022-45060 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 7.2.1-r0
• >= 5.0.0, < 6.0.11, >= 7.0.0, < 7.1.2, >= 7.2.0, < 7.2.1
• from 0, < 6.5.1-1+deb11u3
• from 0, < 6.5.1-1+deb11u3

CVSS scores

References (10)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2022-45060
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-45060
• WEBdocs.varnish-software.com/security/VSV00011
• WEBlists.debian.org/debian-lts-announce/2022/11/msg00036.html