Lucene search

K
ubuntucveUbuntu.comUB:CVE-2021-33193
HistoryAug 16, 2021 - 12:00 a.m.

CVE-2021-33193

2021-08-1600:00:00
ubuntu.com
ubuntu.com
37

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

44.3%

A crafted method sent through HTTP/2 will bypass validation and be
forwarded by mod_proxy, which can lead to request splitting or cache
poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.

Notes

Author Note
mdeslaur commits for trunk and 2.4 don’t match, needs investigation commit for 2.4 is the one listed in the vulnerability report as of 2021-08-26, no new version of apache contains the fix
OSVersionArchitecturePackageVersionFilename
ubuntu21.10noarchapache2< 2.4.48-3.1ubuntu2UNKNOWN
ubuntu18.04noarchapache2< 2.4.29-1ubuntu4.17UNKNOWN
ubuntu20.04noarchapache2< 2.4.41-4ubuntu3.5UNKNOWN
ubuntu21.04noarchapache2< 2.4.46-4ubuntu1.2UNKNOWN
ubuntu22.04noarchapache2< 2.4.48-3.1ubuntu2UNKNOWN

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

44.3%