Vulnerability-Lookup

CVE-2022-23959 (GCVE-0-2022-23959)

Vulnerability from cvelistv5 – Published: 2022-01-26 00:38 – Updated: 2024-08-03 03:59

Summary

In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

FKIE_CVE-2022-23959

Vulnerability from fkie_nvd - Published: 2022-01-26 01:15 - Updated: 2024-11-21 06:49

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

References

URL	Tags
cve@mitre.org	https://docs.varnish-software.com/security/VSV00008/	Mitigation, Vendor Advisory
cve@mitre.org	https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html	Mailing List, Third Party Advisory
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/
cve@mitre.org	https://varnish-cache.org/security/VSV00008.html	Mitigation, Vendor Advisory
cve@mitre.org	https://www.debian.org/security/2022/dsa-5088	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://docs.varnish-software.com/security/VSV00008/	Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/
af854a3a-2127-422b-91ae-364da2661108	https://varnish-cache.org/security/VSV00008.html	Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2022/dsa-5088	Third Party Advisory

Impacted products

Vendor	Product	Version
varnish-software	varnich_cache	*
varnish-software	varnich_cache	*
varnish-software	varnich_cache	4.1
varnish-software	varnish_cache	*
varnish-software	varnish_cache_plus	*
varnish_cache_project	varnish_cache	*
fedoraproject	fedora	35
debian	debian_linux	9.0
debian	debian_linux	10.0
debian	debian_linux	11.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:varnish-software:varnich_cache:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "46189326-29F3-4641-ADB0-5355B69776D1",
              "versionEndExcluding": "6.6.2",
              "versionStartIncluding": "1.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:varnish-software:varnich_cache:*:*:*:*:plus:*:*:*",
              "matchCriteriaId": "409748DC-967D-4843-8FE4-E06F75A4B459",
              "versionEndExcluding": "4.1.11r6",
              "versionStartIncluding": "4.1.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:varnish-software:varnich_cache:4.1:*:*:*:lts:*:*:*",
              "matchCriteriaId": "9EE19451-5DA3-4F4B-B972-13ED93EE4446",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:lts:*:*:*",
              "matchCriteriaId": "5C4F2BA4-3275-4365-9F41-0D04320C383A",
              "versionEndExcluding": "6.0.10",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:varnish-software:varnish_cache_plus:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "16AE4401-F65C-4246-98AA-AAAAEFA97D73",
              "versionEndExcluding": "6.0.9r4",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:varnish_cache_project:varnish_cache:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1E0E1405-62BB-446D-A04B-0A312FB81E3E",
              "versionEndExcluding": "7.0.2",
              "versionStartIncluding": "7.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
              "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections."
    },
    {
      "lang": "es",
      "value": "En Varnish Cache versiones anteriores a 6.6.2 y 7.x versiones anteriores a 7.0.2, Varnish Cache 6.0 LTS versiones anteriores a 6.0.10, y  Varnish Enterprise (Cache Plus) 4.1.x versiones anteriores a 4.1.11r6 y 6.0.x versiones anteriores a 6.0.9r4, puede producirse contrabando de peticiones para conexiones HTTP/1"
    }
  ],
  "id": "CVE-2022-23959",
  "lastModified": "2024-11-21T06:49:32.090",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 6.4,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-01-26T01:15:07.900",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://docs.varnish-software.com/security/VSV00008/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://varnish-cache.org/security/VSV00008.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2022/dsa-5088"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://docs.varnish-software.com/security/VSV00008/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://varnish-cache.org/security/VSV00008.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2022/dsa-5088"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-444"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

bit-varnish-2022-23959

Vulnerability from bitnami_vulndb

Published

2024-03-06 11:08

Modified

2025-04-03 14:40

Summary

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "varnish",
        "purl": "pkg:bitnami/varnish"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.0.2"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23959"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:varnish_cache_project:varnish_cache:*:*:*:*:*:*:*:*"
    ],
    "severity": "Critical"
  },
  "details": "In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.",
  "id": "BIT-varnish-2022-23959",
  "modified": "2025-04-03T14:40:37.652Z",
  "published": "2024-03-06T11:08:25.199Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://docs.varnish-software.com/security/VSV00008/"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/"
    },
    {
      "type": "WEB",
      "url": "https://varnish-cache.org/security/VSV00008.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5088"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23959"
    }
  ],
  "schema_version": "1.5.0"
}

GHSA-FCQV-R8CV-F88H

Vulnerability from github – Published: 2022-02-08 00:00 – Updated: 2022-03-18 00:01

Details

Severity ?

9.1 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-23959"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-26T01:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.",
  "id": "GHSA-fcqv-r8cv-f88h",
  "modified": "2022-03-18T00:01:35Z",
  "published": "2022-02-08T00:00:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23959"
    },
    {
      "type": "WEB",
      "url": "https://docs.varnish-software.com/security/VSV00008"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT"
    },
    {
      "type": "WEB",
      "url": "https://varnish-cache.org/security/VSV00008.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5088"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2022-23959

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-23959

Aliases

CVE-2022-23959

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-23959",
    "description": "In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.",
    "id": "GSD-2022-23959",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-23959.html",
      "https://www.debian.org/security/2022/dsa-5088",
      "https://access.redhat.com/errata/RHSA-2022:0422",
      "https://access.redhat.com/errata/RHSA-2022:0421",
      "https://access.redhat.com/errata/RHSA-2022:0420",
      "https://access.redhat.com/errata/RHSA-2022:0418",
      "https://advisories.mageia.org/CVE-2022-23959.html",
      "https://linux.oracle.com/cve/CVE-2022-23959.html",
      "https://access.redhat.com/errata/RHSA-2022:4745",
      "https://ubuntu.com/security/CVE-2022-23959",
      "https://alas.aws.amazon.com/cve/html/CVE-2022-23959.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-23959"
      ],
      "details": "In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.",
      "id": "GSD-2022-23959",
      "modified": "2023-12-13T01:19:35.475048Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2022-23959",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://varnish-cache.org/security/VSV00008.html",
            "refsource": "MISC",
            "url": "https://varnish-cache.org/security/VSV00008.html"
          },
          {
            "name": "https://docs.varnish-software.com/security/VSV00008/",
            "refsource": "MISC",
            "url": "https://docs.varnish-software.com/security/VSV00008/"
          },
          {
            "name": "[debian-lts-announce] 20220214 [SECURITY] [DLA 2920-1] varnish security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html"
          },
          {
            "name": "FEDORA-2022-2f14ec7663",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/"
          },
          {
            "name": "DSA-5088",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2022/dsa-5088"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:varnish-software:varnich_cache:4.1:*:*:*:lts:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:varnish-software:varnich_cache:*:*:*:*:plus:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.1.11r6",
                "versionStartIncluding": "4.1.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:varnish-software:varnich_cache:*:*:*:*:-:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.6.2",
                "versionStartIncluding": "1.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:varnish_cache_project:varnish_cache:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.0.2",
                "versionStartIncluding": "7.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:lts:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.0.10",
                "versionStartIncluding": "6.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:varnish-software:varnish_cache_plus:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.0.9r4",
                "versionStartIncluding": "6.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-23959"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-444"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://varnish-cache.org/security/VSV00008.html",
              "refsource": "MISC",
              "tags": [
                "Mitigation",
                "Vendor Advisory"
              ],
              "url": "https://varnish-cache.org/security/VSV00008.html"
            },
            {
              "name": "https://docs.varnish-software.com/security/VSV00008/",
              "refsource": "MISC",
              "tags": [
                "Mitigation",
                "Vendor Advisory"
              ],
              "url": "https://docs.varnish-software.com/security/VSV00008/"
            },
            {
              "name": "[debian-lts-announce] 20220214 [SECURITY] [DLA 2920-1] varnish security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html"
            },
            {
              "name": "FEDORA-2022-2f14ec7663",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/"
            },
            {
              "name": "DSA-5088",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5088"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 6.4,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2022-08-02T19:35Z",
      "publishedDate": "2022-01-26T01:15Z"
    }
  }
}

cve-2022-23959

Vulnerability from osv_almalinux

Published

2022-02-03 09:29

Modified

2022-02-04 16:49

Summary

Important: varnish:6 security update

Details

Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.

Security Fix(es):

varnish: HTTP/1 request smuggling vulnerability (CVE-2022-23959)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "varnish"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.0.8-1.module_el8.5.0+2620+03a0c2cc.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "varnish"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.0.8-1.module_el8.5.0+76+a10ffa55"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "varnish-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.0.8-1.module_el8.5.0+76+a10ffa55"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "varnish-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.0.8-1.module_el8.5.0+2620+03a0c2cc.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "varnish-docs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.0.8-1.module_el8.5.0+2620+03a0c2cc.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "varnish-docs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.0.8-1.module_el8.5.0+76+a10ffa55"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "varnish-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.15.0-6.module_el8.5.0+2620+03a0c2cc"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "varnish-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.15.0-6.module_el8.5.0+76+a10ffa55"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don\u0027t have to create the same web page over and over again, giving the website a significant speed up.\n\nSecurity Fix(es):\n\n* varnish: HTTP/1 request smuggling vulnerability (CVE-2022-23959)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2022:0418",
  "modified": "2022-02-04T16:49:12Z",
  "published": "2022-02-03T09:29:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2022-0418.html"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-23959"
    }
  ],
  "related": [
    "CVE-2022-23959"
  ],
  "summary": "Important: varnish:6 security update"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-23959 (GCVE-0-2022-23959)

FKIE_CVE-2022-23959

bit-varnish-2022-23959

Vulnerability from bitnami_vulndb

GHSA-FCQV-R8CV-F88H

GSD-2022-23959

cve-2022-23959

Vulnerability from osv_almalinux

Tags

Sightings

Nomenclature