CVE-2022-45060 Information

Description

An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11 7.x before 7.1.2 and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could in turn be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Reference

https://docs.varnish-software.com/security/VSV00011 https://varnish-cache.org/security/VSV00011.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

7.5