Candidate: CVE-2021-36740
PublicDate: 2021-07-14 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36740
 https://varnish-cache.org/security/VSV00007.html
 https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf (6.0.8)
 https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be (6.5.2)
 https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be
 https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf
 https://docs.varnish-software.com/security/VSV00007/
Description:
 Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL
 authorization bypass via a large Content-Length header for a POST request.
 This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x
 and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.
Ubuntu-Description:
Notes:
 ebarretto> According to Debian:
 ebarretto> (HTTP/2 support is marked experimental in 5.0 and enabling is not
 ebarretto> recommended, code is quite different)
Mitigation:
Bugs:
 https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1939281
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991040
Priority: medium
Discovered-by:
Assigned-to: ebarretto
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N [6.5 MEDIUM]


Patches_varnish:
upstream_varnish: needs-triage
trusty_varnish: ignored (out of standard support)
trusty/esm_varnish: not-affected
xenial_varnish: ignored (out of standard support)
bionic_varnish: not-affected
focal_varnish: needed
groovy_varnish: ignored (reached end-of-life)
hirsute_varnish: ignored (reached end-of-life)
impish_varnish: released (6.5.2-1)
jammy_varnish: not-affected (6.5.2-1)
devel_varnish: not-affected (6.5.2-1)