PT-2022-7316 · Unknown+7 · Varnish Cache+7

Martin Van Kervel Smedshammer

·

Published

2022-11-08

·

Updated

2026-05-11

·

CVE-2022-45060

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:C/A:N
Name of the Vulnerable Software and Affected Versions Varnish Cache versions 5.x through 6.0.10 Varnish Cache versions 7.x through 7.1.1 Varnish Cache versions 7.2.x through 7.2.0
Description An HTTP Request Forgery issue was discovered in Varnish Cache, where an attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could be used to exploit vulnerabilities in a server behind the Varnish server.
Recommendations For Varnish Cache versions 5.x through 6.0.10, update to version 6.0.11 or later. For Varnish Cache versions 7.x through 7.1.1, update to version 7.1.2 or later. For Varnish Cache versions 7.2.x through 7.2.0, update to version 7.2.1 or later. As a temporary workaround, consider restricting access to the Varnish server to minimize the risk of exploitation.

Fix

RCE

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-918

Related Identifiers

ALSA-2022:8643
ALSA-2022:8649
BDU:2024-03247
BIT-VARNISH-2022-45060
CESA-2022_8649
CVE-2022-45060
DLA-3208-1
DSA-5334-1
MGASA-2022-0434
OESA-2022-2111
OPENSUSE-SU-2022:10198-1
OPENSUSE-SU-2024:12496-1
OPENSUSE-SU-2026:10751-1
RHSA-2022:8643
RHSA-2022:8644
RHSA-2022:8645
RHSA-2022:8646
RHSA-2022:8647
RHSA-2022:8649
RHSA-2022:8650
RHSA-2022_8643
RHSA-2022_8649
RHSA-2023:0673
RLSA-2022:8643
RLSA-2022:8649
USN-7372-1

Affected Products

Almalinux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Ubuntu
Varnish Cache