Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x prior to 6.0.8r3, and Varnish Cache 5.x and 6.x prior to 6.5.2, 6.6.x prior to 6.6.1, and 6.0 LTS prior to 6.0.8.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
varnish-cache varnish cache |
||
varnish-cache varnish cache 6.0.8 |
||
varnish cache project varnish cache |
||
varnish-software varnish cache |
||
fedoraproject fedora 33 |
||
fedoraproject fedora 34 |
||
debian debian linux 10.0 |
||
debian debian linux 11.0 |