CVE-2021-36740
MEDIUM6.5EPSS 0.96%varnish - security update
Published: 7/14/2021Modified: 4/28/2026
Description
Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.
Affected packages (4)
- Alpine/varnishfrom 0, < 6.5.2-r0
- Bitnami/varnish>= 5.0.0, < 5.2.2, >= 6.1.0, < 6.6.1
- Debian/varnishfrom 0, < 6.5.1-1+deb11u2
- Debian/varnishfrom 0, < 6.1.1-1+deb10u3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
References (10)
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2021-36740
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-36740
- WEBhttps://docs.varnish-software.com/security/VSV00007/
- WEBhttps://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be
- WEBhttps://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THV2DQA2GS65HUCKK4KSD2XLN3AAQ2V5/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZHBNLDEOTGYRIEQZBWV7F6VPYS4O2AAK/
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2021-36740
- WEBhttps://varnish-cache.org/security/VSV00007.html
- WEBhttps://www.debian.org/security/2022/dsa-5088