#VU56474 Inconsistent interpretation of HTTP requests in Apache HTTP Server - CVE-2021-33193
Published: September 13, 2021 / Updated: October 2, 2024
Vulnerability identifier: #VU56474
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-33193
CWE-ID: CWE-444
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Apache HTTP Server
Apache HTTP Server
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote attacker to preform HTTP/2 request smuggling attacks.
The vulnerability exists due to improper validation of HTTP/2 requests in mod_proxy in Apache HTTP Server. A remote attacker can send a specially crafted HTTP/2 request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison web server cache and perform phishing attacks.
Remediation
Install update from vendor's website.