CVE-2022-45060 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2022-45060 Interim 1 6 2025-02-16T02:50:07Z current 2022-11-10T00:42:32Z 2025-02-16T02:50:07Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2022-45060 An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJFEBVAZE52U2TMYLTOEW3F7YGVD7XQL/ E-Mail link for openSUSE-SU-2022:10198-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Liberty Linux 8 SUSE Liberty Linux 9 SUSE Package Hub 15 SP4 openSUSE Leap 15.4 openSUSE Tumbleweed libvarnishapi3-7.2.1-1.1 libvarnishapi3-7.2.1-bp154.2.9.1 varnish-6.0.8-2.module+el8.7.0+17239+94d153bd.1 varnish-6.6.2-2.el9_1.1 varnish-7.2.1-1.1 varnish-7.2.1-bp154.2.9.1 varnish-devel-6.0.8-2.module+el8.7.0+17239+94d153bd.1 varnish-devel-6.6.2-2.el9_1.1 varnish-devel-7.2.1-1.1 varnish-devel-7.2.1-bp154.2.9.1 varnish-docs-6.0.8-2.module+el8.7.0+17239+94d153bd.1 varnish-docs-6.6.2-2.el9_1.1 varnish-modules-0.15.0-6.module+el8.5.0+11976+0b4af72d varnish-6.0.8-2.module+el8.7.0+17239+94d153bd.1 as a component of SUSE Liberty Linux 8 varnish-devel-6.0.8-2.module+el8.7.0+17239+94d153bd.1 as a component of SUSE Liberty Linux 8 varnish-docs-6.0.8-2.module+el8.7.0+17239+94d153bd.1 as a component of SUSE Liberty Linux 8 varnish-modules-0.15.0-6.module+el8.5.0+11976+0b4af72d as a component of SUSE Liberty Linux 8 varnish-6.6.2-2.el9_1.1 as a component of SUSE Liberty Linux 9 varnish-devel-6.6.2-2.el9_1.1 as a component of SUSE Liberty Linux 9 varnish-docs-6.6.2-2.el9_1.1 as a component of SUSE Liberty Linux 9 libvarnishapi3-7.2.1-bp154.2.9.1 as a component of SUSE Package Hub 15 SP4 varnish-7.2.1-bp154.2.9.1 as a component of SUSE Package Hub 15 SP4 varnish-devel-7.2.1-bp154.2.9.1 as a component of SUSE Package Hub 15 SP4 libvarnishapi3-7.2.1-bp154.2.9.1 as a component of openSUSE Leap 15.4 varnish-7.2.1-bp154.2.9.1 as a component of openSUSE Leap 15.4 varnish-devel-7.2.1-bp154.2.9.1 as a component of openSUSE Leap 15.4 libvarnishapi3-7.2.1-1.1 as a component of openSUSE Tumbleweed varnish-7.2.1-1.1 as a component of openSUSE Tumbleweed varnish-devel-7.2.1-1.1 as a component of openSUSE Tumbleweed An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected. CVE-2022-45060 SUSE Liberty Linux 8:varnish-6.0.8-2.module+el8.7.0+17239+94d153bd.1 SUSE Liberty Linux 8:varnish-devel-6.0.8-2.module+el8.7.0+17239+94d153bd.1 SUSE Liberty Linux 8:varnish-docs-6.0.8-2.module+el8.7.0+17239+94d153bd.1 SUSE Liberty Linux 8:varnish-modules-0.15.0-6.module+el8.5.0+11976+0b4af72d SUSE Liberty Linux 9:varnish-6.6.2-2.el9_1.1 SUSE Liberty Linux 9:varnish-devel-6.6.2-2.el9_1.1 SUSE Liberty Linux 9:varnish-docs-6.6.2-2.el9_1.1 SUSE Package Hub 15 SP4:libvarnishapi3-7.2.1-bp154.2.9.1 SUSE Package Hub 15 SP4:varnish-7.2.1-bp154.2.9.1 SUSE Package Hub 15 SP4:varnish-devel-7.2.1-bp154.2.9.1 openSUSE Leap 15.4:libvarnishapi3-7.2.1-bp154.2.9.1 openSUSE Leap 15.4:varnish-7.2.1-bp154.2.9.1 openSUSE Leap 15.4:varnish-devel-7.2.1-bp154.2.9.1 openSUSE Tumbleweed:libvarnishapi3-7.2.1-1.1 openSUSE Tumbleweed:varnish-7.2.1-1.1 openSUSE Tumbleweed:varnish-devel-7.2.1-1.1 important 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N