HTTP Request Smuggling Affecting varnish-devel package, versions <0:6.0.6-2.module+el8.4.0+20258+f99218b2.1
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-ORACLE8-VARNISHDEVEL-2585288
- published 10 Apr 2022
- disclosed 14 Jul 2021
Introduced: 14 Jul 2021
CVE-2021-36740 Open this link in a new tabHow to fix?
Upgrade Oracle:8
varnish-devel
to version 0:6.0.6-2.module+el8.4.0+20258+f99218b2.1 or higher.
This issue was patched in ELSA-2021-2988
.
NVD Description
Note: Versions mentioned in the description apply only to the upstream varnish-devel
package and not the varnish-devel
package as distributed by Oracle
.
See How to fix?
for Oracle:8
relevant fixed versions and status.
Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.
References
- https://linux.oracle.com/cve/CVE-2021-36740.html
- https://linux.oracle.com/errata/ELSA-2021-2988.html
- https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be
- https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf
- https://docs.varnish-software.com/security/VSV00007/
- https://varnish-cache.org/security/VSV00007.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZHBNLDEOTGYRIEQZBWV7F6VPYS4O2AAK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/THV2DQA2GS65HUCKK4KSD2XLN3AAQ2V5/
- https://www.debian.org/security/2022/dsa-5088
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THV2DQA2GS65HUCKK4KSD2XLN3AAQ2V5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZHBNLDEOTGYRIEQZBWV7F6VPYS4O2AAK/