| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Url request injection |
|
| Description |
| + |
Varnish Cache before version 6.6.1, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. |
|
| References |
| + |
https://varnish-cache.org/security/VSV00007.html |
| + |
https://github.com/varnishcache/varnish-cache/commit/7d73bc843ea9bff79e33773f1cfe2dffa7d03ea1 |
|
| Notes |
| + |
Workaround |
| + |
========== |
| + |
|
| + |
The issue can be mitigated by turning off support for HTTP/2, using |
| + |
|
| + |
sudo varnishadm param.set feature -http2 |
| + |
|
| + |
or by preventing connection reuse with the following configuration: |
| + |
|
| + |
sub vcl_backend_fetch { |
| + |
set bereq.http.Connection = "close"; |
| + |
} |
|