CVE-2022-23959
CRITICAL9.1EPSS 0.34%varnish - security update
Published: 1/26/2022Modified: 12/3/2025
Also known as:ALPINE-CVE-2022-23959
Description
In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.
Affected packages (4)
- Alpine/varnishfrom 0, < 6.5.2-r1
- Bitnami/varnish>= 7.0.0, < 7.0.2
- Debian/varnishfrom 0, < 6.5.1-1+deb11u2
- Debian/varnishfrom 0, < 5.0.0-7+deb9u3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
References (8)
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2022-23959
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-23959
- WEBhttps://docs.varnish-software.com/security/VSV00008/
- WEBhttps://lists.debian.org/debian-lts-announce/2022/02/msg00014.html
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2022-23959
- WEBhttps://varnish-cache.org/security/VSV00008.html
- WEBhttps://www.debian.org/security/2022/dsa-5088