{"id":"CVE-2021-36740","details":"Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.","aliases":["BIT-varnish-2021-36740"],"modified":"2026-05-16T04:03:06.197231062Z","published":"2021-07-14T17:15:08.253Z","related":["openSUSE-SU-2022:0148-1"],"database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"10.0"},{"last_affected":"11.0"}],"source":"CPE_FIELD","vendor_product":"debian:debian_linux"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"33"},{"last_affected":"34"}],"cpes":["cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"],"vendor_product":"fedoraproject:fedora"},{"source":"CPE_FIELD","extracted_events":[{"introduced":"6.0.0"},{"fixed":"6.0.8"},{"last_affected":"6.0.8-r1"},{"last_affected":"6.0.8-r2"}],"cpes":["cpe:2.3:a:varnish-cache:varnish_cache:*:*:*:*:plus:*:*:*","cpe:2.3:a:varnish-cache:varnish_cache:6.0.8:r1:*:*:plus:*:*:*","cpe:2.3:a:varnish-cache:varnish_cache:6.0.8:r2:*:*:plus:*:*:*"],"vendor_product":"varnish-cache:varnish_cache"},{"source":"CPE_FIELD","extracted_events":[{"introduced":"6.0.0"},{"last_affected":"6.0.5"},{"introduced":"6.0.0"},{"last_affected":"6.0.7"}],"cpes":["cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:*:*:*:*","cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:lts:*:*:*"],"vendor_product":"varnish-software:varnish_cache"}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THV2DQA2GS65HUCKK4KSD2XLN3AAQ2V5/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZHBNLDEOTGYRIEQZBWV7F6VPYS4O2AAK/"},{"type":"ADVISORY","url":"https://docs.varnish-software.com/security/VSV00007/"},{"type":"ADVISORY","url":"https://varnish-cache.org/security/VSV00007.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5088"},{"type":"FIX","url":"https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be"},{"type":"FIX","url":"https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf"}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}