{"id":"UBUNTU-CVE-2021-36740","details":"Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.","modified":"2026-02-04T17:32:17.108510Z","published":"2021-07-14T17:15:00Z","related":["USN-5474-1"],"upstream":["CVE-2021-36740"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-36740"},{"type":"REPORT","url":"https://varnish-cache.org/security/VSV00007.html"},{"type":"REPORT","url":"https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf"},{"type":"REPORT","url":"https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be"},{"type":"REPORT","url":"https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2c6372cce77b683be"},{"type":"REPORT","url":"https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf"},{"type":"REPORT","url":"https://docs.varnish-software.com/security/VSV00007/"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-5474-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2021-36740"}],"affected":[{"package":{"name":"varnish","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/varnish@6.2.1-2ubuntu0.1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.2.1-2ubuntu0.1"}]}],"versions":["6.1.1-1","6.2.1-2"],"ecosystem_specific":{"binaries":[{"binary_version":"6.2.1-2ubuntu0.1","binary_name":"libvarnishapi-dev"},{"binary_version":"6.2.1-2ubuntu0.1","binary_name":"libvarnishapi2"},{"binary_version":"6.2.1-2ubuntu0.1","binary_name":"varnish"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-36740.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"type":"Ubuntu","score":"medium"}]}