GHSA-47xh-qxqv-mgvg: 
vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in kube-httpcache affecting versions prior to 0.7.1. The vulnerability was published on November 29, 2022, and updated on January 12, 2023. The issue specifically affects Varnish Cache servers with HTTP/2 protocol enabled and is tracked as GHSA-47xh-qxqv-mgvg and CVE-2022-45060 (GitHub Advisory, Varnish Security).

The vulnerability allows attackers to introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line. This causes the Varnish server to produce invalid HTTP/1 requests to the backend. The issue affects multiple versions including Varnish Cache releases 5.x, 6.x, 7.0.x, 7.1.0, 7.1.1, 7.2.0, and Varnish Cache 6.0 LTS series up to and including 6.0.10. The vulnerability is classified as moderate severity and is associated with CWE-352 (Varnish Security).

When exploited, this vulnerability can be used to successfully exploit vulnerabilities in servers behind the Varnish server through request forgery attacks. The impact is particularly significant for systems using HTTP/2 protocol with Varnish Cache as a frontend (Varnish Security).

The vulnerability is fixed in kube-httpcache version 0.7.1 and later, which includes Varnish 6.0.11. For systems unable to upgrade, a mitigation is available by adding a VCL snippet at the beginning of the vclrecv function to test for problematic characters in incoming HTTP/2 pseudo-headers: `sub vclrecv { if (req.url ~ "(^$)|[ \t]+" || req.method ~ "(^$)|[ \t]+") { return (synth(400)); } }` (GitHub Advisory, Varnish Security).