VSV00007 Varnish HTTP/2 Request Smuggling Attack
A request smuggling attack can be performed on Varnish Cache and Varnish Cache Plus servers that have the HTTP/2 protocol enabled. The smuggled requests do not go through normal VCL processing, and any authorization steps implemented in VCL would be bypassed.
The responses to the smuggled requests can under some circumstances also be obtained by the attacker. Also, it may be possible for an attacker to use this for cache poisoning, where the response to a smuggled request is inserted as the cached content.
Affected Versions:
- Varnish Cache releases 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.3.0, 6.3.1, 6.3.2, 6.4.0, 6.5.0, 6.5.1, 6.6.0.
- Varnish Cache releases 5.x.x. Notice that the experimental HTTP/2 support in these releases are known to have several issues, and enabling HTTP/2 is not recommended.
- Varnish Cache 6.0 LTS by Varnish Software up to and including 6.0.7
Versions not affected
- All versions of Varnish Cache prior to version 5.0.0
Fixed In Version:
- Varnish Cache 6.6.1
- Varnish Cache 6.5.2
- Varnish Cache 6.0 LTS version 6.0.8
- GitHub Varnish Cache master branch at commit 450961a019d1c1955ca1851d51940ff2c87bdc98
References:
- https://varnish-cache.org/security/VSV00007.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36740
Affected branches:
-
3.14-stable -
3.13-stable -
3.12-stable -
3.11-stable -
3.10-stable -
3.9-stable -
3.8-stable -
3.7-stable