CVE-2022-23959

In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.

Published: Jan 26, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-23959
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.1
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v2:

Severity: Medium
Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N

CWEs:

CWE-444

Affected Software
References

Software	From	Fixed in
varnish-software / varnich_cache	4.1	4.1.x
varnish-software / varnich_cache	4.1.1	4.1.11r6
varnish-software / varnich_cache	1.0.0	6.6.2
varnish_cache_project / varnish_cache	7.0.0	7.0.2
varnish-software / varnish_cache	6.0.0	6.0.10
varnish-software / varnish_cache_plus	6.0.0	6.0.9r4
fedoraproject / fedora	35	35.x
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
debian / debian_linux	11.0	11.0.x

https://docs.varnish-software.com/security/VSV00008/
https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/
https://varnish-cache.org/security/VSV00008.html
https://www.debian.org/security/2022/dsa-5088

Vulnerability Database

289,598

CVE-2022-23959