Lookup for vulnerable packages by Package URL.
| Purl | pkg:golang/github.com/mittwald/kube-httpcache@0.7.1 |
|---|
| Type | golang |
|---|
| Namespace | github.com/mittwald |
|---|
| Name | kube-httpcache |
|---|
| Version | 0.7.1 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | false |
|---|
| Next_non_vulnerable_version | null |
|---|
| Latest_non_vulnerable_version | null |
|---|
| Affected_by_vulnerabilities |
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-bauu-4q7u-cbg8 |
| vulnerability_id |
VCID-bauu-4q7u-cbg8 |
| summary |
kube-httpcache is vulnerable to Cross-Site Request Forgery (CSRF)
### Impact
> A request forgery attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker may introduce characters through the HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This may in turn be used to successfully exploit vulnerabilities in a server behind the Varnish server.
> -- https://varnish-cache.org/security/VSV00011.html#vsv00011
### Patches
This is fixed in Varnish 6.0.11; Varnish 6.0.11 is available in `kube-httpcache` versions v0.7.1 and later.
### Workarounds
See [upstream mitigation hints](https://varnish-cache.org/security/VSV00011.html#mitigation).
### References
- https://varnish-cache.org/security/VSV00011.html#vsv00011 |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-47xh-qxqv-mgvg
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bauu-4q7u-cbg8 |
|
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mittwald/kube-httpcache@0.7.1 |
|---|