CVE-2021-36740 log

Source
Severity Medium
Remote Yes
Type Url request injection
Description
Varnish Cache before version 6.6.1, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request.
Group Package Affected Fixed Severity Status Ticket
AVG-2154 varnish 6.6.0-2 6.6.1-1 Medium Fixed
Date Advisory Group Package Severity Type
14 Jul 2021 ASA-202107-28 AVG-2154 varnish Medium url request injection
References
https://varnish-cache.org/security/VSV00007.html
https://github.com/varnishcache/varnish-cache/commit/7d73bc843ea9bff79e33773f1cfe2dffa7d03ea1
Notes
Workaround
==========

The issue can be mitigated by turning off support for HTTP/2, using

sudo varnishadm param.set feature -http2

or by preventing connection reuse with the following configuration:

sub vcl_backend_fetch {
      set bereq.http.Connection = "close";
}