Advisories ยป MGASA-2022-0434

Updated varnish packages fix security vulnerability

Publication date: 18 Nov 2022
Type: security
Affected Mageia releases : 8
CVE: CVE-2022-45060


An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x
before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may
introduce characters through HTTP/2 pseudo-headers that are invalid in the
context of an HTTP/1 request line, causing the Varnish server to produce
invalid HTTP/1 requests to the backend. This could, in turn, be used to
exploit vulnerabilities in a server behind the Varnish server.