CVE-2021-33193

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.17 through 2.4.48

Description A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod proxy, which can lead to request splitting or cache poisoning. This issue is related to insufficient processing of HTTP requests by the mod proxy module in the Apache HTTP Server, allowing a remote attacker to send a hidden HTTP request, also known as an HTTP Request Smuggling attack.

Recommendations For Apache HTTP Server versions 2.4.17 through 2.4.48, update to a version that includes the fix for this issue. As a temporary workaround, consider disabling the mod proxy module until a patch is available. Restrict access to the HTTP/2 protocol to minimize the risk of exploitation.

Exploit

Fix

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

ALSA-2022:1915

ALT-PU-2021-2866

ALT-PU-2021-2972

ALT-PU-2021-3037

ALT-PU-2021-3060

AZL-6483

BDU:2021-04216

BIT-APACHE-2021-33193

CESA-2022_1915

CVE-2021-33193

DLA-3351-1

MGASA-2021-0439

OPENSUSE-SU-2021:1234-1

OPENSUSE-SU-2021:2954-1

OPENSUSE-SU-2021_1234-1

OPENSUSE-SU-2021_2954-1

RHSA-2022:1915

RHSA-2022:6753

RHSA-2022:7143

RHSA-2022_1915

RLSA-2022:1915

SUSE-SU-2021:2918-1

SUSE-SU-2021:2954-1

SUSE-SU-2021:3335-1

SUSE-SU-2021_2918-1

SUSE-SU-2021_2954-1

USN-5090-1

USN-5090-3

USN-5090-4

Affected Products

Alt Linux

Almalinux

Apache Http Server

Astra Linux

Centos

Linuxmint

Red Hat

Rocky Linux

Suse

Ubuntu

CVE-2021-33193

Weakness Enumeration

Related Identifiers

Affected Products

References · 187