CVE-2021-36740
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-36740
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-36740.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-36740
- Aliases
- Downstream
- Related
- Published
- 2021-07-14T17:15:08Z
- Modified
- 2025-10-21T06:27:47.821128Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.
- References
-
- https://docs.varnish-software.com/security/VSV00007/
- https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be
- https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf
- https://varnish-cache.org/security/VSV00007.html
- https://www.debian.org/security/2022/dsa-5088
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THV2DQA2GS65HUCKK4KSD2XLN3AAQ2V5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZHBNLDEOTGYRIEQZBWV7F6VPYS4O2AAK/
Affected packages
Git / github.com/varnishcache/varnish-cache
Affected ranges
- Type
- GIT
- Repo
- https://github.com/varnishcache/varnish-cache
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
varnish-3.*
varnish-3.0.0-beta1
varnish-3.0.0-beta2
varnish-4.*
varnish-4.0.0
varnish-4.0.0-beta1
varnish-4.0.0-tp1
varnish-4.0.0-tp2
varnish-4.0.1
varnish-5.*
varnish-5.0.0
varnish-5.1.0
varnish-5.1.1
varnish-5.1.2
varnish-6.*
varnish-6.0.0
varnish-6.0.1
varnish-6.0.2
varnish-6.0.3
varnish-6.0.4
varnish-6.0.5
varnish-6.0.6
varnish-6.0.7
varnish-6.1.0
varnish-6.4.0
varnish-6.5.0
varnish-6.5.1
Database specific
vanir_signatures
[
{
"id": "CVE-2021-36740-40a11df2",
"deprecated": false,
"digest": {
"line_hashes": [
"96594679652235793478936197214739384428",
"339459041543529833794218464905202114607",
"279418260458959367168050697796270059616"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "bin/varnishd/http2/cache_http2.h"
},
"source": "https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf",
"signature_type": "Line"
},
{
"id": "CVE-2021-36740-53eab5af",
"deprecated": false,
"digest": {
"line_hashes": [
"319068846067141077674517737040206032799",
"274353302911709537974243764397932581341",
"208905520421134520460266232406743196538",
"73086315340845631618599290708976930073",
"45345459762820099820689968109526438325",
"340200689723017681936032407269823666538",
"131104118656162689643490246175672649667",
"328345390936522563376720596018008165721",
"76731877846164817541578033198421077993",
"128439728396422328233434357191828462337",
"107319550199931273783163815162928966657",
"81157401837015946607351207867327299215",
"97360033589979999387691178642859045922",
"73536272802941455868253792413217309254",
"338175314527739574972815094415174854982",
"35372504324213186992998909497482117632",
"141805938930458057492783450825077972424",
"95652761703888682500413291417301362049",
"144016718817270494714516261481624246524",
"23034497810754045751552518789258766638",
"250684336114939372379667006286775547711",
"234489751868536946923934456578626828431",
"261066693767689040588092339008749352082",
"77032436857494004235688079038925959168",
"201993082614027781764269695738784931002",
"224075334554160644837040476532160299252",
"87774922790116606955180312971410476114",
"272703658077891915828801242324228797896",
"2868793699174563681990444113713545452",
"196460651349024236897844127213278127554",
"125430785635549524489210990494404182027",
"132920814885250519596789044201833532554",
"67223240496591929872137056882178336880",
"222798785167562960086044945753951445944",
"171725439827953424882661539175816631452",
"311300411274644989261442296934303587302",
"248202766650665968777041095278730149429",
"110829078053625966343870111990685952478",
"211459360683093362770562507676684227624",
"12001120493820655175044509516892331829",
"78346852381289768209228900915764655954",
"289634711716964746914009452996406474211",
"215426642459140248912779234757462492466",
"332084814337334570559592300199245217027"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "bin/varnishd/http2/cache_http2_proto.c"
},
"source": "https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf",
"signature_type": "Line"
},
{
"id": "CVE-2021-36740-6f018b40",
"deprecated": false,
"digest": {
"length": 1723.0,
"function_hash": "289837936790979699010818898396070346431"
},
"signature_version": "v1",
"target": {
"function": "h2_end_headers",
"file": "bin/varnishd/http2/cache_http2_proto.c"
},
"source": "https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf",
"signature_type": "Function"
},
{
"id": "CVE-2021-36740-890ec268",
"deprecated": false,
"digest": {
"length": 1721.0,
"function_hash": "189079400166567416762404618048211487590"
},
"signature_version": "v1",
"target": {
"function": "h2_rx_data",
"file": "bin/varnishd/http2/cache_http2_proto.c"
},
"source": "https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf",
"signature_type": "Function"
},
{
"id": "CVE-2021-36740-a8ddf732",
"deprecated": false,
"digest": {
"length": 1266.0,
"function_hash": "250733975286537413943421660320081123180"
},
"signature_version": "v1",
"target": {
"function": "h2_vfp_body",
"file": "bin/varnishd/http2/cache_http2_proto.c"
},
"source": "https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf",
"signature_type": "Function"
},
{
"id": "CVE-2021-36740-b4873106",
"deprecated": false,
"digest": {
"line_hashes": [
"321512367868134525491539838871430876084",
"53966348232674706180883999704314591993",
"112189269010713934362454945982987285093",
"83452261533668801857880234681874210620",
"126557411321562658525626135066837660832",
"138844621303148241755654140191731255422",
"106790144876060690172069889601222975062",
"60137546732818246979747965706000576656",
"336365565918691845243515060963439140418",
"155958802197505590868152760828239707175",
"272889598194545998678854085594421793864",
"132211763810066596212092125342379472967",
"291243419860909989710731087945611959123",
"48507533879275631949945225808360190879",
"158364661238759135933036554770533983942",
"338175314527739574972815094415174854982",
"35372504324213186992998909497482117632",
"141805938930458057492783450825077972424",
"95652761703888682500413291417301362049",
"144016718817270494714516261481624246524",
"23034497810754045751552518789258766638",
"250684336114939372379667006286775547711",
"234489751868536946923934456578626828431",
"261066693767689040588092339008749352082",
"77032436857494004235688079038925959168",
"201993082614027781764269695738784931002",
"224075334554160644837040476532160299252",
"87774922790116606955180312971410476114",
"272703658077891915828801242324228797896",
"2868793699174563681990444113713545452",
"196460651349024236897844127213278127554",
"125430785635549524489210990494404182027",
"132920814885250519596789044201833532554",
"67223240496591929872137056882178336880",
"222798785167562960086044945753951445944",
"171725439827953424882661539175816631452",
"311300411274644989261442296934303587302",
"248202766650665968777041095278730149429",
"110829078053625966343870111990685952478",
"211459360683093362770562507676684227624",
"12001120493820655175044509516892331829",
"78346852381289768209228900915764655954",
"289634711716964746914009452996406474211",
"215426642459140248912779234757462492466",
"332084814337334570559592300199245217027"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "bin/varnishd/http2/cache_http2_proto.c"
},
"source": "https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be",
"signature_type": "Line"
},
{
"id": "CVE-2021-36740-c648d8d1",
"deprecated": false,
"digest": {
"length": 1266.0,
"function_hash": "250733975286537413943421660320081123180"
},
"signature_version": "v1",
"target": {
"function": "h2_vfp_body",
"file": "bin/varnishd/http2/cache_http2_proto.c"
},
"source": "https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be",
"signature_type": "Function"
},
{
"id": "CVE-2021-36740-d5bdb164",
"deprecated": false,
"digest": {
"length": 1721.0,
"function_hash": "189079400166567416762404618048211487590"
},
"signature_version": "v1",
"target": {
"function": "h2_rx_data",
"file": "bin/varnishd/http2/cache_http2_proto.c"
},
"source": "https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be",
"signature_type": "Function"
},
{
"id": "CVE-2021-36740-f02afbb1",
"deprecated": false,
"digest": {
"length": 1607.0,
"function_hash": "238937024195301636687300950763608509409"
},
"signature_version": "v1",
"target": {
"function": "h2_end_headers",
"file": "bin/varnishd/http2/cache_http2_proto.c"
},
"source": "https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be",
"signature_type": "Function"
},
{
"id": "CVE-2021-36740-f1bb3ce2",
"deprecated": false,
"digest": {
"line_hashes": [
"96594679652235793478936197214739384428",
"339459041543529833794218464905202114607",
"177132310497924254819981955067877769698"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "bin/varnishd/http2/cache_http2.h"
},
"source": "https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be",
"signature_type": "Line"
}
]