{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2021-33193","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","assignerShortName":"apache","dateUpdated":"2024-08-03T23:42:20.253Z","dateReserved":"2021-05-19T00:00:00.000Z","datePublished":"2021-08-16T00:00:00.000Z"},"containers":{"cna":{"title":"Request splitting via HTTP/2 method injection and mod_proxy","providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2023-03-03T00:00:00.000Z"},"descriptions":[{"lang":"en","value":"A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48."}],"affected":[{"vendor":"Apache Software Foundation","product":"Apache HTTP Server","versions":[{"version":"Apache HTTP Server 2.4 2.4.17 to 2.4.48","status":"affected"}]}],"references":[{"url":"https://portswigger.net/research/http2"},{"url":"https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c.patch"},{"name":"[httpd-cvs] 20210916 [httpd-site] branch main updated: Revert \"Add descriptions for CVE-2021-33193 CVE-2021-36160\"","tags":["mailing-list"],"url":"https://lists.apache.org/thread.html/re4162adc051c1a0a79e7a24093f3776373e8733abaff57253fef341d%40%3Ccvs.httpd.apache.org%3E"},{"name":"[httpd-cvs] 20210916 [httpd-site] branch main updated: Add descriptions for CVE-2021-33193 CVE-2021-36160","tags":["mailing-list"],"url":"https://lists.apache.org/thread.html/ree7519d71415ecdd170ff1889cab552d71758d2ba2904a17ded21a70%40%3Ccvs.httpd.apache.org%3E"},{"name":"FEDORA-2021-5d2d4b6ac5","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSM6UWQICBJ2TU727RENU3HBKEAFLT6T/"},{"name":"FEDORA-2021-f94985afca","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EUVJVRJRBW5QVX4OY3NOHZDQ3B3YOTSG/"},{"name":"20211124 Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021","tags":["vendor-advisory"],"url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ"},{"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"url":"https://security.netapp.com/advisory/ntap-20210917-0004/"},{"url":"https://www.tenable.com/security/tns-2021-17"},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"name":"GLSA-202208-20","tags":["vendor-advisory"],"url":"https://security.gentoo.org/glsa/202208-20"},{"name":"[debian-lts-announce] 20230303 [SECURITY] [DLA 3351-1] apache2 security update","tags":["mailing-list"],"url":"https://lists.debian.org/debian-lts-announce/2023/03/msg00002.html"}],"credits":[{"lang":"en","value":"Reported by James Kettle of PortSwigger"}],"metrics":[{"other":{"type":"unknown","content":{"other":"moderate"}}}],"problemTypes":[{"descriptions":[{"type":"text","lang":"en","description":"Request Splitting"}]}],"x_generator":{"engine":"Vulnogram 0.0.9"},"source":{"discovery":"UNKNOWN"},"timeline":[{"lang":"en","time":"2021-05-11T00:00:00.000Z","value":"reported"},{"lang":"en","time":"2021-08-06T00:00:00.000Z","value":"public"}]},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T23:42:20.253Z"},"title":"CVE Program Container","references":[{"url":"https://portswigger.net/research/http2","tags":["x_transferred"]},{"url":"https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c.patch","tags":["x_transferred"]},{"name":"[httpd-cvs] 20210916 [httpd-site] branch main updated: Revert \"Add descriptions for CVE-2021-33193 CVE-2021-36160\"","tags":["mailing-list","x_transferred"],"url":"https://lists.apache.org/thread.html/re4162adc051c1a0a79e7a24093f3776373e8733abaff57253fef341d%40%3Ccvs.httpd.apache.org%3E"},{"name":"[httpd-cvs] 20210916 [httpd-site] branch main updated: Add descriptions for CVE-2021-33193 CVE-2021-36160","tags":["mailing-list","x_transferred"],"url":"https://lists.apache.org/thread.html/ree7519d71415ecdd170ff1889cab552d71758d2ba2904a17ded21a70%40%3Ccvs.httpd.apache.org%3E"},{"name":"FEDORA-2021-5d2d4b6ac5","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSM6UWQICBJ2TU727RENU3HBKEAFLT6T/"},{"name":"FEDORA-2021-f94985afca","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EUVJVRJRBW5QVX4OY3NOHZDQ3B3YOTSG/"},{"name":"20211124 Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021","tags":["vendor-advisory","x_transferred"],"url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ"},{"url":"https://www.oracle.com/security-alerts/cpujan2022.html","tags":["x_transferred"]},{"url":"https://security.netapp.com/advisory/ntap-20210917-0004/","tags":["x_transferred"]},{"url":"https://www.tenable.com/security/tns-2021-17","tags":["x_transferred"]},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","tags":["x_transferred"]},{"name":"GLSA-202208-20","tags":["vendor-advisory","x_transferred"],"url":"https://security.gentoo.org/glsa/202208-20"},{"name":"[debian-lts-announce] 20230303 [SECURITY] [DLA 3351-1] apache2 security update","tags":["mailing-list","x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2023/03/msg00002.html"}]}]}}