PT-2022-16370 · Varnish+7 · Varnish Cache+8

James Kettle

·

Published

2022-01-26

·

Updated

2026-05-11

·

CVE-2022-23959

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Varnish Cache versions 6.0.0 through 6.6.1 Varnish Cache 6.0 LTS versions 6.0.0 through 6.0.9 Varnish Cache 7.x versions 7.0.0 through 7.0.1 Varnish Enterprise (Cache Plus) 4.1.x versions 4.1.0 through 4.1.11r5 Varnish Enterprise (Cache Plus) 6.0.x versions 6.0.0 through 6.0.9r3
Description Request smuggling can occur for HTTP/1 connections in the affected versions of Varnish Cache and Varnish Enterprise.
Recommendations For Varnish Cache versions 6.0.0 through 6.6.1, update to version 6.6.2 or later. For Varnish Cache 6.0 LTS versions 6.0.0 through 6.0.9, update to version 6.0.10 or later. For Varnish Cache 7.x versions 7.0.0 through 7.0.1, update to version 7.0.2 or later. For Varnish Enterprise (Cache Plus) 4.1.x versions 4.1.0 through 4.1.11r5, update to version 4.1.11r6 or later. For Varnish Enterprise (Cache Plus) 6.0.x versions 6.0.0 through 6.0.9r3, update to version 6.0.9r4 or later.

Fix

HTTP Request/Response Smuggling

Weakness Enumeration

CWE-444

Related Identifiers

ALSA-2022:0418
BIT-VARNISH-2022-23959
CESA-2022_0418
CVE-2022-23959
DLA-2920-1
DSA-5088-1
MGASA-2022-0079
OESA-2022-1623
OPENSUSE-SU-2022:0148-1
OPENSUSE-SU-2022_0144-1
OPENSUSE-SU-2024:12086-1
OPENSUSE-SU-2026:10751-1
RHSA-2022:0418
RHSA-2022:0420
RHSA-2022:0421
RHSA-2022:0422
RHSA-2022:4745
RHSA-2022_0418
RLSA-2022:0418
USN-5474-1

Affected Products

Almalinux
Centos
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu
Varnish Cache
Varnish Enterprise