CVE-2022-23959
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-23959
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23959.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-23959
- Aliases
- Downstream
- Related
- Published
- 2022-01-26T01:15:07Z
- Modified
- 2025-10-15T13:48:48.426372Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.
- References
-
- https://docs.varnish-software.com/security/VSV00008/
- https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html
- https://varnish-cache.org/security/VSV00008.html
- https://www.debian.org/security/2022/dsa-5088
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/
Affected packages
Git / github.com/varnishcache/varnish-cache
Affected ranges
- Type
- GIT
- Repo
- https://github.com/varnishcache/varnish-cache
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
varnish-3.*
varnish-3.0.0-beta1
varnish-3.0.0-beta2
varnish-4.*
varnish-4.0.0
varnish-4.0.0-beta1
varnish-4.0.0-tp1
varnish-4.0.0-tp2
varnish-4.0.1
varnish-5.*
varnish-5.0.0
varnish-5.1.0
varnish-5.1.1
varnish-5.1.2
varnish-6.*
varnish-6.0.0
varnish-6.1.0
varnish-6.4.0
varnish-6.5.0
varnish-6.5.1
varnish-6.6.0
varnish-6.6.1