Skip to content

kube-httpcache is vulnerable to Cross-Site Request Forgery (CSRF)

Moderate severity GitHub Reviewed Published Nov 29, 2022 in mittwald/kube-httpcache • Updated Jan 12, 2023

Package

gomod github.com/mittwald/kube-httpcache (Go)

Affected versions

< 0.7.1

Patched versions

0.7.1

Description

Impact

A request forgery attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker may introduce characters through the HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This may in turn be used to successfully exploit vulnerabilities in a server behind the Varnish server.
-- https://varnish-cache.org/security/VSV00011.html#vsv00011

Patches

This is fixed in Varnish 6.0.11; Varnish 6.0.11 is available in kube-httpcache versions v0.7.1 and later.

Workarounds

See upstream mitigation hints.

References

References

@martin-helmich martin-helmich published to mittwald/kube-httpcache Nov 29, 2022
Published to the GitHub Advisory Database Dec 2, 2022
Reviewed Dec 2, 2022
Last updated Jan 12, 2023

Severity

Moderate

EPSS score

Weaknesses

Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-47xh-qxqv-mgvg

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.