CVE-2021-33193

Updated: 2023-11-07 19:06:39.600093

Description:

A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x MEDIUM 5
CVSS Version 3.x HIGH 7.5

Status

OS name Project name Version Score Severity Status Errata Last updated
CentOS 6 ELS httpd 2.2.15 7.5 HIGH Ignored 2022-04-19 21:49:49
CentOS 8.4 ELS httpd 2.4.37 7.5 HIGH Released CLSA-2022:1654106434 2022-06-01 14:37:18
CentOS 8.5 ELS httpd 2.4.37 7.5 HIGH Released CLSA-2022:1654106630 2022-06-01 14:37:00
CloudLinux 6 ELS httpd 2.2.15 7.5 HIGH Ignored 2022-04-19 21:49:49
Oracle Linux 6 ELS httpd 2.2.15 7.5 HIGH Ignored 2022-04-19 21:49:49
Ubuntu 16.04 ELS apache2 2.4.18 7.5 HIGH Ignored 2022-04-19 21:49:45
Ubuntu 18.04 ELS apache2 2.4.29 7.5 HIGH Already Fixed 2023-06-02 09:11:09

Statement

We’ve reasoned that this vulnerability is hard to use to cause significant impact on target system. Even with our fix, the system may still be vulnerable due to different intermediate web-servers (proxies) used. Given that fix is complex (and it requires significant time to adopt to our supported systems) and the rate is not that high we’ve decided to not adopt it.