{"id":"CVE-2021-36740","details":"Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.","aliases":["BIT-varnish-2021-36740"],"modified":"2026-04-16T04:31:27.819737001Z","published":"2021-07-14T17:15:08.253Z","related":["openSUSE-SU-2022:0148-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THV2DQA2GS65HUCKK4KSD2XLN3AAQ2V5/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZHBNLDEOTGYRIEQZBWV7F6VPYS4O2AAK/"},{"type":"ADVISORY","url":"https://docs.varnish-software.com/security/VSV00007/"},{"type":"ADVISORY","url":"https://varnish-cache.org/security/VSV00007.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5088"},{"type":"FIX","url":"https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be"},{"type":"FIX","url":"https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/varnishcache/varnish-cache","events":[{"introduced":"a068361dff0d25a0d85cf82a6e5fdaf315e06a7d"},{"fixed":"97e54ada6ac578af332e52b44d2038bb4fa4cd4a"},{"introduced":"a068361dff0d25a0d85cf82a6e5fdaf315e06a7d"},{"last_affected":"3065ccaacc4bb537fb976a524bd808db42c5fe40"},{"introduced":"a068361dff0d25a0d85cf82a6e5fdaf315e06a7d"},{"last_affected":"525d371e3ea0e0c38edd7baf0f80dc226560f26e"},{"introduced":"99d036fe0b49c7487edb7dfd0da10fc2eef30505"},{"last_affected":"67e56248220057f59f794ecc95d7a644b8492fef"},{"introduced":"4684c38ecfc194b4f3b5b81594832dbb197a3bb9"},{"last_affected":"ef54768fc10f5b19556c7cf9866efc88cfbda8ff"},{"fixed":"82b0a629f60136e76112c6f2c6372cce77b683be"},{"fixed":"9be22198e258d0e7a5c41f4291792214a29405cf"}],"database_specific":{"versions":[{"introduced":"6.0.0"},{"fixed":"6.0.8"},{"introduced":"6.0.0"},{"last_affected":"6.0.5"},{"introduced":"6.0.0"},{"last_affected":"6.0.7"},{"introduced":"5.0.0"},{"last_affected":"5.2.1"},{"introduced":"6.1.0"},{"last_affected":"6.6.0"}]}}],"versions":["varnish-5.0.0","varnish-5.1.0","varnish-5.1.1","varnish-5.1.2","varnish-5.2.0","varnish-5.2.0-rc1","varnish-5.2.0-rc2","varnish-5.2.1","varnish-6.0.0","varnish-6.0.1","varnish-6.0.2","varnish-6.0.3","varnish-6.0.4","varnish-6.0.5","varnish-6.0.6","varnish-6.0.7","varnish-6.1.0","varnish-6.4.0","varnish-6.5.0","varnish-6.5.1","varnish-6.6.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"6.0.8-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.8-r2"}]},{"events":[{"introduced":"0"},{"last_affected":"33"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-36740.json","vanir_signatures_modified":"2026-04-11T16:26:02Z","vanir_signatures":[{"id":"CVE-2021-36740-40a11df2","digest":{"threshold":0.9,"line_hashes":["96594679652235793478936197214739384428","339459041543529833794218464905202114607","279418260458959367168050697796270059616"]},"deprecated":false,"target":{"file":"bin/varnishd/http2/cache_http2.h"},"signature_version":"v1","source":"https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf","signature_type":"Line"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["319068846067141077674517737040206032799","274353302911709537974243764397932581341","208905520421134520460266232406743196538","73086315340845631618599290708976930073","45345459762820099820689968109526438325","340200689723017681936032407269823666538","131104118656162689643490246175672649667","328345390936522563376720596018008165721","76731877846164817541578033198421077993","128439728396422328233434357191828462337","107319550199931273783163815162928966657","81157401837015946607351207867327299215","97360033589979999387691178642859045922","73536272802941455868253792413217309254","338175314527739574972815094415174854982","35372504324213186992998909497482117632","141805938930458057492783450825077972424","95652761703888682500413291417301362049","144016718817270494714516261481624246524","23034497810754045751552518789258766638","250684336114939372379667006286775547711","234489751868536946923934456578626828431","261066693767689040588092339008749352082","77032436857494004235688079038925959168","201993082614027781764269695738784931002","224075334554160644837040476532160299252","87774922790116606955180312971410476114","272703658077891915828801242324228797896","2868793699174563681990444113713545452","196460651349024236897844127213278127554","125430785635549524489210990494404182027","132920814885250519596789044201833532554","67223240496591929872137056882178336880","222798785167562960086044945753951445944","171725439827953424882661539175816631452","311300411274644989261442296934303587302","248202766650665968777041095278730149429","110829078053625966343870111990685952478","211459360683093362770562507676684227624","12001120493820655175044509516892331829","78346852381289768209228900915764655954","289634711716964746914009452996406474211","215426642459140248912779234757462492466","332084814337334570559592300199245217027"]},"target":{"file":"bin/varnishd/http2/cache_http2_proto.c"},"source":"https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf","signature_version":"v1","id":"CVE-2021-36740-53eab5af","signature_type":"Line"},{"source":"https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf","digest":{"length":1723,"function_hash":"289837936790979699010818898396070346431"},"id":"CVE-2021-36740-6f018b40","deprecated":false,"signature_version":"v1","target":{"function":"h2_end_headers","file":"bin/varnishd/http2/cache_http2_proto.c"},"signature_type":"Function"},{"deprecated":false,"digest":{"length":1721,"function_hash":"189079400166567416762404618048211487590"},"target":{"function":"h2_rx_data","file":"bin/varnishd/http2/cache_http2_proto.c"},"source":"https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf","signature_version":"v1","id":"CVE-2021-36740-890ec268","signature_type":"Function"},{"deprecated":false,"digest":{"length":1266,"function_hash":"250733975286537413943421660320081123180"},"target":{"function":"h2_vfp_body","file":"bin/varnishd/http2/cache_http2_proto.c"},"source":"https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf","signature_version":"v1","id":"CVE-2021-36740-a8ddf732","signature_type":"Function"},{"source":"https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be","digest":{"threshold":0.9,"line_hashes":["321512367868134525491539838871430876084","53966348232674706180883999704314591993","112189269010713934362454945982987285093","83452261533668801857880234681874210620","126557411321562658525626135066837660832","138844621303148241755654140191731255422","106790144876060690172069889601222975062","60137546732818246979747965706000576656","336365565918691845243515060963439140418","155958802197505590868152760828239707175","272889598194545998678854085594421793864","132211763810066596212092125342379472967","291243419860909989710731087945611959123","48507533879275631949945225808360190879","158364661238759135933036554770533983942","338175314527739574972815094415174854982","35372504324213186992998909497482117632","141805938930458057492783450825077972424","95652761703888682500413291417301362049","144016718817270494714516261481624246524","23034497810754045751552518789258766638","250684336114939372379667006286775547711","234489751868536946923934456578626828431","261066693767689040588092339008749352082","77032436857494004235688079038925959168","201993082614027781764269695738784931002","224075334554160644837040476532160299252","87774922790116606955180312971410476114","272703658077891915828801242324228797896","2868793699174563681990444113713545452","196460651349024236897844127213278127554","125430785635549524489210990494404182027","132920814885250519596789044201833532554","67223240496591929872137056882178336880","222798785167562960086044945753951445944","171725439827953424882661539175816631452","311300411274644989261442296934303587302","248202766650665968777041095278730149429","110829078053625966343870111990685952478","211459360683093362770562507676684227624","12001120493820655175044509516892331829","78346852381289768209228900915764655954","289634711716964746914009452996406474211","215426642459140248912779234757462492466","332084814337334570559592300199245217027"]},"id":"CVE-2021-36740-b4873106","deprecated":false,"signature_version":"v1","target":{"file":"bin/varnishd/http2/cache_http2_proto.c"},"signature_type":"Line"},{"deprecated":false,"digest":{"length":1266,"function_hash":"250733975286537413943421660320081123180"},"source":"https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be","id":"CVE-2021-36740-c648d8d1","signature_version":"v1","target":{"function":"h2_vfp_body","file":"bin/varnishd/http2/cache_http2_proto.c"},"signature_type":"Function"},{"id":"CVE-2021-36740-d5bdb164","digest":{"length":1721,"function_hash":"189079400166567416762404618048211487590"},"deprecated":false,"target":{"function":"h2_rx_data","file":"bin/varnishd/http2/cache_http2_proto.c"},"signature_version":"v1","source":"https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be","signature_type":"Function"},{"source":"https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be","digest":{"length":1607,"function_hash":"238937024195301636687300950763608509409"},"id":"CVE-2021-36740-f02afbb1","deprecated":false,"signature_version":"v1","target":{"function":"h2_end_headers","file":"bin/varnishd/http2/cache_http2_proto.c"},"signature_type":"Function"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["96594679652235793478936197214739384428","339459041543529833794218464905202114607","177132310497924254819981955067877769698"]},"target":{"file":"bin/varnishd/http2/cache_http2.h"},"source":"https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be","signature_version":"v1","id":"CVE-2021-36740-f1bb3ce2","signature_type":"Line"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}