CVE-2022-45059 Common Vulnerabilities and Exposures

Upstream information

CVE-2022-45059 at MITRE

Description

An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v3 Scores
CVSS detail	CNA (CISA-ADP)	National Vulnerability Database
Base Score	7.5	7.5
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector	Network	Network
Attack Complexity	Low	Low
Privileges Required	None	None
User Interaction	None	None
Scope	Unchanged	Unchanged
Confidentiality Impact	None	None
Integrity Impact	High	High
Availability Impact	None	None
CVSSv3 Version	3.1	3.1

SUSE Bugzilla entry: 1205243 [RESOLVED / FIXED]

SUSE Security Advisories:

openSUSE-SU-2022:10198-1, published Sat Nov 12 08:46:04 2022

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Package Hub 15 SP4	`libvarnishapi3 >= 7.2.1-bp154.2.9.1` `varnish >= 7.2.1-bp154.2.9.1` `varnish-devel >= 7.2.1-bp154.2.9.1`	Patchnames: openSUSE-2022-10198
openSUSE Leap 15.4	`libvarnishapi3 >= 7.2.1-bp154.2.9.1` `varnish >= 7.2.1-bp154.2.9.1` `varnish-devel >= 7.2.1-bp154.2.9.1`	Patchnames: openSUSE-2022-10198
openSUSE Tumbleweed	`libvarnishapi3 >= 7.2.1-1.1` `varnish >= 7.2.1-1.1` `varnish-devel >= 7.2.1-1.1`	Patchnames: openSUSE-Tumbleweed-2024-12496

SUSE Timeline for this CVE

CVE page created: Wed Nov 9 13:02:35 2022
CVE page last modified: Mon Oct 6 19:38:18 2025