{"id":"CVE-2022-23959","details":"In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.","aliases":["BIT-varnish-2022-23959"],"modified":"2026-05-12T08:59:21.557256915Z","published":"2022-01-26T01:15:07.900Z","related":["ALSA-2022:0418","openSUSE-SU-2022:0148-1","openSUSE-SU-2024:12086-1","openSUSE-SU-2026:10751-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/"},{"type":"ADVISORY","url":"https://varnish-cache.org/security/VSV00008.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5088"},{"type":"ADVISORY","url":"https://docs.varnish-software.com/security/VSV00008/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/varnishcache/varnish-cache","events":[{"introduced":"0"},{"fixed":"17c51b08e037fc8533fb3687a042a867235fc72f"},{"introduced":"0"},{"last_affected":"3041728c596139834b789c424ad886306f30334c"},{"introduced":"a068361dff0d25a0d85cf82a6e5fdaf315e06a7d"},{"fixed":"9a7da4ff4c0c824af33e230740a11e99fdca23d9"},{"introduced":"454733b82a3279a1603516b4f0a07f8bad4bcd55"},{"fixed":"9b5f68e19ca0ab60010641e305fd12822f18d42c"}],"database_specific":{"versions":[{"introduced":"1.0.0"},{"fixed":"6.6.2"},{"introduced":"0"},{"last_affected":"4.1"},{"introduced":"6.0.0"},{"fixed":"6.0.10"},{"introduced":"7.0.0"},{"fixed":"7.0.2"}]}}],"versions":["varnish-4.0.0","varnish-4.0.0-beta1","varnish-4.0.0-tp1","varnish-4.0.0-tp2","varnish-4.0.1","varnish-4.1.0","varnish-4.1.0-beta1","varnish-6.0.0","varnish-6.0.1","varnish-6.0.2","varnish-6.0.3","varnish-6.0.4","varnish-6.0.5","varnish-6.0.6","varnish-6.0.7","varnish-6.0.8","varnish-6.0.9","varnish-6.1.0","varnish-6.4.0","varnish-6.5.0","varnish-6.5.1","varnish-6.6.0","varnish-6.6.1","varnish-7.0.0","varnish-7.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23959.json","unresolved_ranges":[{"events":[{"introduced":"4.1.1"},{"fixed":"4.1.11r6"}]},{"events":[{"introduced":"6.0.0"},{"fixed":"6.0.9r4"}]},{"events":[{"introduced":"0"},{"last_affected":"35"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}