CVE-2022-23959

Name
CVE-2022-23959
Description
In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://varnish-cache.org/security/VSV00008.html
MISC https://docs.varnish-software.com/security/VSV00008/
Mailing List https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/
Third Party Advisory https://www.debian.org/security/2022/dsa-5088
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:varnish-software:varnich_cache:*:*:*:*:-:*:*:* varnich_cache >= 1.0.0 < 6.6.2
cpe:2.3:a:varnish-software:varnich_cache:4.1:*:*:*:lts:*:*:* varnich_cache == None == 4.1
cpe:2.3:a:varnish-software:varnich_cache:*:*:*:*:plus:*:*:* varnich_cache >= 4.1.1 < 4.1.11r6
cpe:2.3:a:varnish-software:varnich_cache:*:*:*:*:plus:*:*:* varnich_cache >= 6.0.0 < 6.0.9r4
cpe:2.3:a:varnish-software:varnich_cache:*:*:*:*:lts:*:*:* varnich_cache >= 6.0.0 < 6.0.10
cpe:2.3:a:varnish-software:varnich_cache:*:*:*:*:-:*:*:* varnich_cache >= 7.0.0 < 7.0.2
cpe:2.3:a:varnish_cache_project:varnish_cache:*:*:*:*:*:*:*:* varnish_cache >= 7.0.0 < 7.0.2
cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:lts:*:*:* varnish_cache >= 6.0.0 < 6.0.10
cpe:2.3:a:varnish-software:varnish_cache_plus:*:*:*:*:*:*:*:* varnish_cache_plus >= 6.0.0 < 6.0.9r4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
varnish 3.13-main 6.5.2-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
varnish 3.12-main 6.5.2-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
varnish 3.14-main 6.6.2-r0 Natanael Copa <ncopa@alpinelinux.org> fixed