Vulnerability Name:

CVE-2021-36740 (CCN-205582)

Assigned:2021-07-13
Published:2021-07-13
Updated:2022-08-02
Summary:Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
8.1 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.1 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-444
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2021-36740

Source: MISC
Type: Mitigation, Vendor Advisory
https://docs.varnish-software.com/security/VSV00007/

Source: XF
Type: UNKNOWN
varnish-cve202136740-request-smuggling(205582)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-cf7585f0ca

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-36e10d3f9f

Source: CCN
Type: Varnish Cache VSV00007
Varnish HTTP/2 Request Smuggling Attack

Source: MISC
Type: Mitigation, Vendor Advisory
https://varnish-cache.org/security/VSV00007.html

Source: DEBIAN
Type: Third Party Advisory
DSA-5088

Vulnerable Configuration:Configuration 1:
  • cpe:/a:varnish-cache:varnish_cache:*:*:*:*:plus:*:*:* (Version >= 6.0.0 and < 6.0.8)
  • OR cpe:/a:varnish-cache:varnish_cache:6.0.8:r2:*:*:plus:*:*:*
  • OR cpe:/a:varnish-cache:varnish_cache:6.0.8:r1:*:*:plus:*:*:*
  • OR cpe:/a:varnish_cache_project:varnish_cache:*:*:*:*:*:*:*:* (Version >= 5.0.0 and <= 5.2.1)
  • OR cpe:/a:varnish_cache_project:varnish_cache:*:*:*:*:*:*:*:* (Version >= 6.1.0 and <= 6.6.0)
  • OR cpe:/a:varnish-software:varnish_cache:*:*:*:*:lts:*:*:* (Version >= 6.0.0 and <= 6.0.7)
  • OR cpe:/a:varnish-software:varnish_cache:*:*:*:*:*:*:*:* (Version >= 6.0.0 and <= 6.0.5)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20212988
    P
    		RHSA-2021:2988: varnish:6 security update (Important)
    2021-08-02
    BACK
    varnish-cache varnish cache *
    varnish-cache varnish cache 6.0.8 r2
    varnish-cache varnish cache 6.0.8 r1
    varnish_cache_project varnish cache *
    varnish_cache_project varnish cache *
    varnish-software varnish cache *
    varnish-software varnish cache *
    fedoraproject fedora 33
    fedoraproject fedora 34
    debian debian linux 10.0
    debian debian linux 11.0