CVE-2021-33193 — HIGH (7.5)

Q: How severe is CVE-2021-33193?

CVE-2021-33193 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-33193?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Apache Http Server, Fedoraproject Fedora, Tenable Tenable.Sc, Oracle Secure Backup.

Vulnerability Description

A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Debian	Debian Linux	10.0
Apache	Http Server	>= 2.4.17, < 2.4.49
Fedoraproject	Fedora	34
Tenable	Tenable.Sc	<= 5.19.1
Oracle	Secure Backup	< 18.1.0.1.0
Oracle	Zfs Storage Appliance Kit	8.8

References

https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c.Patch
https://lists.apache.org/thread.html/re4162adc051c1a0a79e7a24093f3776373e8733abaPatch
https://lists.apache.org/thread.html/ree7519d71415ecdd170ff1889cab552d71758d2ba2Patch
https://lists.debian.org/debian-lts-announce/2023/03/msg00002.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproThird Party Advisory
https://portswigger.net/research/http2ExploitThird Party Advisory
https://security.gentoo.org/glsa/202208-20Third Party Advisory
https://security.netapp.com/advisory/ntap-20210917-0004/Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
https://www.tenable.com/security/tns-2021-17Third Party Advisory
https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c.Patch
https://lists.apache.org/thread.html/re4162adc051c1a0a79e7a24093f3776373e8733abaPatch

FAQ

What is CVE-2021-33193?

CVE-2021-33193 is a vulnerability with a CVSS score of 7.5 (HIGH). A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.4...

How severe is CVE-2021-33193?

CVE-2021-33193 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-33193?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Apache Http Server, Fedoraproject Fedora, Tenable Tenable.Sc, Oracle Secure Backup.