QwikSec

Security Database

CVE

CWE

Training

CVE-2022-45060

Published: Nov 9, 2022

Modified: May 1, 2025

PUBLISHED

Description

An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://varnish-cache.org/security/VSV00011.html

https://docs.varnish-software.com/security/VSV00011

FEDORA-2022-babfbc2622

vendor-advisory

FEDORA-2022-0d5dcc031e

vendor-advisory

FEDORA-2022-99c5ddb2ae

vendor-advisory

[debian-lts-announce] 20221127 [SECURITY] [DLA 3208-1] varnish security update

mailing-list

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.