varnish-cache varnish_cache http请求的解释不一致性（http请求私运）

admin

0
文章

0
评论

2023-12-01 13:36:43 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

低危 varnish-cache varnish_cache http请求的解释不一致性（http请求私运）

CVE编号

CVE-2021-36740

利用情况

暂无

补丁情况

官方补丁

披露时间

2021-07-15

漏洞描述

Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://docs.varnish-software.com/security/VSV00007/
https://github.com/varnishcache/varnish-cache/commit/82b0a629f60136e76112c6f2...
https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f42...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://varnish-cache.org/security/VSV00007.html
https://www.debian.org/security/2022/dsa-5088

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	varnish-cache	varnish_cache	*	From (including) 5.0.0	Up to (including) 5.2.1
	运行在以下环境
	应用	varnish-cache	varnish_cache	*	From (including) 6.0.0	Up to (excluding) 6.0.8
	运行在以下环境
	应用	varnish-cache	varnish_cache	*	From (including) 6.0.0	Up to (including) 6.0.5
	运行在以下环境
	应用	varnish-cache	varnish_cache	*	From (including) 6.0.0	Up to (including) 6.0.7
	运行在以下环境
	应用	varnish-cache	varnish_cache	*	From (including) 6.1.0	Up to (including) 6.6.0
	运行在以下环境
	应用	varnish-cache	varnish_cache	6.0.8	-
	运行在以下环境
	系统	alpine_3.11	varnish	*		Up to (excluding) 6.5.2-r0
	运行在以下环境
	系统	alpine_3.12	varnish	*		Up to (excluding) 6.5.2-r0
	运行在以下环境
	系统	alpine_3.13	varnish	*		Up to (excluding) 6.5.2-r0
	运行在以下环境
	系统	alpine_3.14	varnish	*		Up to (excluding) 6.6.1-r0
	运行在以下环境
	系统	alpine_3.15	varnish	*		Up to (excluding) 6.6.1-r0
	运行在以下环境
	系统	alpine_3.16	varnish	*		Up to (excluding) 6.6.1-r0
	运行在以下环境
	系统	alpine_3.17	varnish	*		Up to (excluding) 6.6.1-r0
	运行在以下环境
	系统	alpine_3.18	varnish	*		Up to (excluding) 6.6.1-r0
	运行在以下环境
	系统	alpine_edge	varnish	*		Up to (excluding) 6.6.1-r0
	运行在以下环境
	系统	anolis_os_8	varnish-docs	*		Up to (excluding) 6.0.2-2
	运行在以下环境
	系统	anolis_os_8.2	varnish-docs	*		Up to (excluding) 6.0.2-2
	运行在以下环境
	系统	centos_8	varnish	*		Up to (excluding) 0.15.0-4.module+el8+2481+4078e9d2
	运行在以下环境
	系统	debian_10	varnish	*		Up to (excluding) 6.1.1-1+deb10u3
	运行在以下环境
	系统	debian_11	varnish	*		Up to (excluding) 6.5.1-1+deb11u2
	运行在以下环境
	系统	debian_12	varnish	*		Up to (excluding) 6.5.2-1
	运行在以下环境
	系统	debian_9	varnish	*		Up to (including) 5.0.0-7+deb9u2
	运行在以下环境
	系统	debian_sid	varnish	*		Up to (excluding) 6.5.2-1
	运行在以下环境
	系统	fedora_33	varnish	*		Up to (excluding) 6.4.0-5.fc33
	运行在以下环境
	系统	fedora_33_Modular	varnish	*		Up to (excluding) 6.0-3320210717084350.601d93de
	运行在以下环境
	系统	fedora_34	varnish	*		Up to (excluding) 6.5.2-1.fc34
	运行在以下环境
	系统	fedora_34_Modular	varnish	*		Up to (excluding) 6.0-3420210717084350.058368ca
	运行在以下环境
	系统	kylinos_aarch64_V10SP1	varnish	*		Up to (excluding) 6.0.0-6.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP2	varnish	*		Up to (excluding) 6.0.0-9.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP1	varnish	*		Up to (excluding) 6.0.0-6.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP2	varnish	*		Up to (excluding) 6.0.0-9.ky10
	运行在以下环境
系统	opensuse_Leap_15.3	libvarnishapi3	*		Up to (excluding) 7.1.0-bp153.2.3.1
运行在以下环境
系统	oracle_8	oraclelinux-release	*		Up to (excluding) 6.0.6-2.module+el8.4.0+20258+f99218b2.1
运行在以下环境
系统	redhat_8	varnish	*		Up to (excluding) 0.15.0-4.module+el8+2481+4078e9d2
运行在以下环境
系统	ubuntu_20.04	varnish	*		Up to (excluding) 6.2.1-2ubuntu0.1
运行在以下环境
系统	ubuntu_21.10	varnish	*		Up to (excluding) 6.5.2-1
运行在以下环境
系统	unionos_d	varnish	*		Up to (excluding) 6.1.1.1-deepin1