CVE-2022-23959
Publication date 26 January 2022
Last updated 24 July 2024
Ubuntu priority
In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| varnish | 24.10 oracular |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Fixed 6.6.1-1ubuntu0.2
|
|
| 20.04 LTS focal |
Fixed 6.2.1-2ubuntu0.1
|
|
| 18.04 LTS bionic |
Fixed 5.2.1-1ubuntu0.1
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.1 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-5474-1
- Varnish Cache vulnerabilities
- 8 June 2022