{"id":"CVE-2022-45060","details":"An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.","aliases":["BIT-varnish-2022-45060"],"modified":"2026-04-16T04:31:50.760547603Z","published":"2022-11-09T06:15:09.830Z","related":["ALSA-2022:8643","ALSA-2022:8649","openSUSE-SU-2022:10198-1","openSUSE-SU-2024:12496-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6ZMOZVBLZXHEV5VRW4I4SOWLQEK5OF5/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XGF6LFTHXCSYMYUX5HLMVXQH3WHCSFLU/"},{"type":"ADVISORY","url":"https://varnish-cache.org/security/VSV00011.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5334"},{"type":"ADVISORY","url":"https://docs.varnish-software.com/security/VSV00011"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00036.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/varnishcache/varnish-cache","events":[{"introduced":"a068361dff0d25a0d85cf82a6e5fdaf315e06a7d"},{"fixed":"a3bc025c2df28e4a76e10c2c41217c9864e9963b"},{"introduced":"0"},{"last_affected":"a068361dff0d25a0d85cf82a6e5fdaf315e06a7d"},{"introduced":"99d036fe0b49c7487edb7dfd0da10fc2eef30505"},{"fixed":"a3bc025c2df28e4a76e10c2c41217c9864e9963b"},{"introduced":"454733b82a3279a1603516b4f0a07f8bad4bcd55"},{"fixed":"b399e1fcc7467b8c255630fa3b3fd6311e59e4df"},{"introduced":"0"},{"last_affected":"75d4c1de9673da2ae3df3904fae960d8ae534a00"}],"database_specific":{"versions":[{"introduced":"6.0.0"},{"fixed":"6.0.11"},{"introduced":"0"},{"last_affected":"6.0.0-NA"},{"introduced":"5.0.0"},{"fixed":"6.0.11"},{"introduced":"7.0.0"},{"fixed":"7.1.2"},{"introduced":"0"},{"last_affected":"7.2.0"}]}}],"versions":["varnish-6.0.0","varnish-6.0.1","varnish-6.0.10","varnish-6.0.2","varnish-6.0.3","varnish-6.0.4","varnish-6.0.5","varnish-6.0.6","varnish-6.0.7","varnish-6.0.8","varnish-6.0.9","varnish-6.1.0","varnish-6.4.0","varnish-6.5.0","varnish-6.5.1","varnish-7.1.0","varnish-7.1.1","varnish-7.2.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"6.0.0-r0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0-r2"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.1-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.1-r2"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.1-r3"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.1-r4"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.1-r5"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.2-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.3-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.3-r2"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.3-r3"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.3-r4"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.3-r5"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.3-r6"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.3-r7"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.3-r8"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.3-r9"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.4-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.4-r2"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.4-r3"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.5-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.5-r2"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.5-r3"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.6-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.6-r10"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.6-r2"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.6-r3"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.6-r4"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.6-r5"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.6-r6"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.6-r7"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.6-r8"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.6-r9"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.7-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.7-r2"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.7-r3"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.8-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.8-r2"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.8-r3"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.8-r4"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.8-r5"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.8-r6"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.8-r7"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.9-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.9-r2"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.9-r3"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.9-r4"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.9-r5"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.9-r6"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.9-r7"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.10-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.10-r2"}]},{"events":[{"introduced":"0"},{"last_affected":"35"}]},{"events":[{"introduced":"0"},{"last_affected":"36"}]},{"events":[{"introduced":"0"},{"last_affected":"37"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-45060.json","vanir_signatures_modified":"2026-04-12T03:22:22Z","vanir_signatures":[{"digest":{"line_hashes":["105553821208315179366129639845453211870","127635665085636467239850132907701811888"],"threshold":0.9},"source":"https://github.com/varnishcache/varnish-cache/commit/a3bc025c2df28e4a76e10c2c41217c9864e9963b","signature_type":"Line","signature_version":"v1","deprecated":false,"id":"CVE-2022-45060-04ec6fd0","target":{"file":"lib/libvarnish/version.c"}},{"digest":{"length":232,"function_hash":"270466461008454793612066310759590844104"},"source":"https://github.com/varnishcache/varnish-cache/commit/a3bc025c2df28e4a76e10c2c41217c9864e9963b","signature_type":"Function","signature_version":"v1","deprecated":false,"id":"CVE-2022-45060-4fbc69af","target":{"function":"VCS_Message","file":"lib/libvarnish/version.c"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}