CVE-2022-38150

In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW3X4PEKC5C736SCKE2UG3Y7JWKMD2K6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2BUKFICLZBXESLQ3MXMIG3G52RZURFK/
https://varnish-cache.org/security/VSV00009.html	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:varnish_cache_project:varnish_cache:7.0.0:::::::*
	cpe:2.3:a:varnish_cache_project:varnish_cache:7.0.1:::::::*
	cpe:2.3:a:varnish_cache_project:varnish_cache:7.0.2:::::::*
	cpe:2.3:a:varnish_cache_project:varnish_cache:7.1.0:::::::*

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:35:::::::*
	cpe:2.3:o:fedoraproject:fedora:36:::::::*

History

07 Nov 2023, 03:50

Type	Values Removed	Values Added
References	{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2BUKFICLZBXESLQ3MXMIG3G52RZURFK/', 'name': 'FEDORA-2022-1fa6d1ed2f', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TW3X4PEKC5C736SCKE2UG3Y7JWKMD2K6/', 'name': 'FEDORA-2022-99702d9bdd', 'tags': ['Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/', 'name': 'FEDORA-2022-99c5ddb2ae', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2BUKFICLZBXESLQ3MXMIG3G52RZURFK/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW3X4PEKC5C736SCKE2UG3Y7JWKMD2K6/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/ -

29 Nov 2022, 17:35

Type	Values Removed	Values Added
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/ - Mailing List, Third Party Advisory
CPE		cpe:2.3:o:fedoraproject:fedora:35:::::::*

26 Nov 2022, 03:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/ -

30 Aug 2022, 12:37

Type	Values Removed	Values Added
First Time		Fedoraproject Fedoraproject fedora
CPE		cpe:2.3:o:fedoraproject:fedora:36:::::::*
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TW3X4PEKC5C736SCKE2UG3Y7JWKMD2K6/ - Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2BUKFICLZBXESLQ3MXMIG3G52RZURFK/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2BUKFICLZBXESLQ3MXMIG3G52RZURFK/ - Mailing List, Third Party Advisory

22 Aug 2022, 04:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2BUKFICLZBXESLQ3MXMIG3G52RZURFK/ -

15 Aug 2022, 16:08

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:varnish_cache_project:varnish_cache:7.0.2:::::::* cpe:2.3:a:varnish_cache_project:varnish_cache:7.0.0:::::::* cpe:2.3:a:varnish_cache_project:varnish_cache:7.1.0:::::::* cpe:2.3:a:varnish_cache_project:varnish_cache:7.0.1:::::::*
First Time		Varnish Cache Project varnish Cache Varnish Cache Project
References	~~(MISC) https://varnish-cache.org/security/VSV00009.html -~~	(MISC) https://varnish-cache.org/security/VSV00009.html - Mitigation, Vendor Advisory

11 Aug 2022, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-08-11 01:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-38150

Mitre link : CVE-2022-38150

CVE.ORG link : CVE-2022-38150

JSON object : View

Products Affected

varnish_cache_project

varnish_cache

fedoraproject

fedora

CWE

NVD-CWE-noinfo

7.5 /10