CVE-2022-38150

Name
CVE-2022-38150
Description
In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://varnish-cache.org/security/VSV00009.html
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2BUKFICLZBXESLQ3MXMIG3G52RZURFK/
Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TW3X4PEKC5C736SCKE2UG3Y7JWKMD2K6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2BUKFICLZBXESLQ3MXMIG3G52RZURFK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW3X4PEKC5C736SCKE2UG3Y7JWKMD2K6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:varnish_cache_project:varnish_cache:7.1.0:*:*:*:*:*:*:* varnish_cache == None == 7.1.0
cpe:2.3:a:varnish_cache_project:varnish_cache:7.0.2:*:*:*:*:*:*:* varnish_cache == None == 7.0.2
cpe:2.3:a:varnish_cache_project:varnish_cache:7.0.1:*:*:*:*:*:*:* varnish_cache == None == 7.0.1
cpe:2.3:a:varnish_cache_project:varnish_cache:7.0.0:*:*:*:*:*:*:* varnish_cache == None == 7.0.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status