7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.003 Low
EPSS
Percentile
69.6%
An HTTP Request Forgery issue was discovered in Varnish Cache. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could be used to exploit vulnerabilities in a server behind the Varnish server.
The following mitigation can be applied under the impossibility of update the varnish package:
Add the following snippet under vcl_recv VCL function at /etc/varnish/default.vcl
if (req.url ~ "(^$)|[ \t]+" || req.method ~ "(^$)|[ \t]+") {
return (synth(400));
}
Restart the varnish service by running the following command as a privileged user:
systemctl restart varnish
The VCL script above will check by any invalid character or pseudo-header values and when found it will return a synthetic HTTP error code 400.