An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.
Created varnish tracking bugs for this issue: Affects: epel-7 [bug 2141848] Affects: fedora-all [bug 2141847]
Public upstream commit for this issue: https://github.com/varnishcache/varnish-cache/commit/687ffb6452ba570778a83b6eb1df8ac1b31d9221
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:8643 https://access.redhat.com/errata/RHSA-2022:8643
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2022:8644 https://access.redhat.com/errata/RHSA-2022:8644
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:8645 https://access.redhat.com/errata/RHSA-2022:8645
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2022:8646 https://access.redhat.com/errata/RHSA-2022:8646
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:8647 https://access.redhat.com/errata/RHSA-2022:8647
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:8649 https://access.redhat.com/errata/RHSA-2022:8649
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2022:8650 https://access.redhat.com/errata/RHSA-2022:8650
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2023:0673 https://access.redhat.com/errata/RHSA-2023:0673
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-45060