CVE-2021-33193
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-33193
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-33193.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-33193
- Aliases
- Downstream
- Related
- Published
- 2021-08-16T08:15:11Z
- Modified
- 2025-10-21T02:34:29Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
- References
-
- https://lists.debian.org/debian-lts-announce/2023/03/msg00002.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSM6UWQICBJ2TU727RENU3HBKEAFLT6T/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EUVJVRJRBW5QVX4OY3NOHZDQ3B3YOTSG/
- https://portswigger.net/research/http2
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20210917-0004/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.tenable.com/security/tns-2021-17
- https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c.patch
- https://lists.apache.org/thread.html/re4162adc051c1a0a79e7a24093f3776373e8733abaff57253fef341d%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/ree7519d71415ecdd170ff1889cab552d71758d2ba2904a17ded21a70%40%3Ccvs.httpd.apache.org%3E
Affected packages
Git / github.com/apache/httpd
Affected ranges
- Type
- GIT
- Repo
- https://github.com/apache/httpd
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
vanir_signatures
[
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "74385937424682073426222761620785437604",
"length": 3037.0
},
"target": {
"function": "h2_request_create_rec",
"file": "modules/http2/h2_request.c"
},
"id": "CVE-2021-33193-01894a96",
"source": "https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c",
"signature_type": "Function"
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"216297871701906497333138545995471757505",
"93734847148042883006357782515785426832",
"150846389549346140709616835203187875525",
"192504961868692345112104824488854879258",
"232279799958932397039464972254077152756",
"246650058331140428352860127500750884144",
"224910715965332014916135045228160364252",
"178132953457944246358558910016590299713",
"262610662380915151057957974804465536698",
"138739775858505879708519534554941537035"
],
"threshold": 0.9
},
"target": {
"file": "server/core.c"
},
"id": "CVE-2021-33193-2d28d8cf",
"source": "https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c",
"signature_type": "Line"
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "232561589811635676432190221137713359538",
"length": 1449.0
},
"target": {
"function": "my_ap_create_request",
"file": "modules/http2/h2_request.c"
},
"id": "CVE-2021-33193-305a9bda",
"source": "https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c",
"signature_type": "Function"
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "299893903342453542481954802508538870005",
"length": 8682.0
},
"target": {
"function": "read_request_line",
"file": "server/protocol.c"
},
"id": "CVE-2021-33193-47942179",
"source": "https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c",
"signature_type": "Function"
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "66528389457521192134320628841659562841",
"length": 920.0
},
"target": {
"function": "ap_update_vhost_from_headers",
"file": "server/vhost.c"
},
"id": "CVE-2021-33193-4e316154",
"source": "https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c",
"signature_type": "Function"
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"300332546954744056386829500267513942870",
"246764124888433614445853790772610687947",
"226630161509637117771314546742937879811",
"29598197113619084673008803306836547134",
"186998961571646225522646665970498112733",
"23594989990645529024330406188705613064",
"335747086418819289781618980010402094369",
"53213403222936578034332898610033472096",
"185294332261703005034313070009840169353",
"36750153875944725439392658571300570447",
"21233719877383760416376411486348057578",
"269205472140826026793227090232925615712",
"184965890592247512720325168507922620367",
"224101990554885433509028551594240753544",
"273752329639628897219025001365030362553",
"248956925503132062045984957955671194817",
"114304397056576424886949005309258719351",
"323669337340099828717520016722958272357",
"103672882477399577798103088305971323203",
"294343662223257147700553404031552606270",
"193756506824014935995902514500539111338",
"19247308119464185688067273969974593189",
"12036092659959105851767104029950459517",
"277882745903069776096332473257115271686",
"139705289248908639884448743751552145537",
"208719935961110123054890632111034187508",
"12036092659959105851767104029950459517",
"48901114112234287299521948585767805217",
"235013916254915019238688480630600147455",
"213046260982220425307693056672570234779",
"20992570891062002198765450051457894114",
"299149591634768911997998177097862040359",
"221162877562750190956636356360639617449",
"184826433840095665636802791667385490877",
"261551819422877343965004507124528154571",
"105996562157343975575028527703173660951",
"226297681173154256448899579856614773295",
"166076739624659809079729671147367965350",
"219105799861823936863775081907728687749",
"53859868697561953502473452817585983288",
"206988470994791232102917768619230281996",
"326367307010173033984365458523159005178",
"329116741758008401897478422914650662043",
"231086956929159807807594174784838418870",
"227204856932424598149842959004584820415",
"323212708158434708925929079958892763911",
"111842247390050410502294872670157281856",
"214512372731206236454141171611223159117",
"107758834131078265178734951655336151871",
"326239089449393405366408651581534170592",
"132998916568903354347768233916294643507",
"17554320978123574338588948640318824592",
"15881735432961287071832118692721726034",
"52983843906117887206093043332873658965",
"260639579195783328408908894713651874121",
"95633207743464779052244516264041397356",
"19285858262840825887630174945062830669",
"247467308305886357202744894348120944616",
"94298437945042307282498911581259301817",
"323348895017086372864031257242306097258",
"153826166809423795350074608402788889252",
"156389612550984822984288542470995215561",
"87786147336152949478923983501568288729",
"146638948357725789913309797614843544275",
"85054157827771336314061093449080524",
"300377074003730382359483770654889092714",
"235701800680851275262025725582525966962",
"73151138198072153783665541358559045928",
"104640694884037610285022794945178650512",
"203490501772367801204954856899793874715",
"137581556846999966897105952898952058066",
"51213466320745261616229709060831061798",
"295646005331723452830351980840184559366",
"203254358060781793270057931201136783938",
"133665708201215122072248101663182528860",
"301000510716500426195840965483025476079",
"114754832616390281116930482742189022728",
"86600697323569454799059566155460276681",
"208755916771174938921047960833048814334",
"125945882525276504803292991336204713392",
"34048382156876538531406646725549678872",
"250872294272202446006843078857292219778",
"285125152946126309073686846678136823161",
"320313254016974962165275124457953998788",
"104794975696823522408239503627189327050",
"183753184342583997874840209919224544425",
"61858715410186280410770221575590025819",
"8045705401946769411262756829511698282",
"6021836347426793777977713584133213474",
"102923988869687765834339002951324659426",
"50269322788268248752130681753827433001",
"4626058515588206615851357170138213412",
"59902986787864961622605617963273545122",
"99347878728427264367430717876165264460",
"59989390063364094919000049100053060931",
"68545203713147509480761573273577109919",
"76812369813147038937224921516909296767",
"308512565746181719734834117052852098317",
"4666306497333853523521291935320248039",
"81557184609060684195583868873934259909",
"109014231966352170343341128111645275246",
"4626058515588206615851357170138213412",
"59902986787864961622605617963273545122",
"99347878728427264367430717876165264460",
"103788567563189975152061107963356845467",
"286611185739092140172642278110345072223",
"96667374378114217832600281704260753536",
"330577636702179812300122709993865976640",
"17584080921320022376512014748901366343",
"81557184609060684195583868873934259909",
"109014231966352170343341128111645275246",
"4626058515588206615851357170138213412",
"59902986787864961622605617963273545122",
"99347878728427264367430717876165264460",
"142084014972609647878692346128817453063",
"155379276579448755558443921887388162165",
"284005748808505408620930986883864472528",
"317269394885508572927796434545560457420",
"124386630513962099951222739292355952474",
"275078174285468078467053652073044527536",
"230305400460558131387405639761220408449",
"306910911582830292385910528203630601152",
"127382494377110576734155501998464949951",
"300553023474171539240018633653780112607",
"104040421013654845402669253425859753254",
"124150536986718899257773096929558303067",
"190446048295083627571853868563996788026",
"312455192492187731623936693011932112231",
"154584082151842202554415943278285572512",
"149746785754257467710810751654448772479",
"26469780299287274282119537905084439638",
"153281784443265862126935369255824403928",
"86423829677873888237731771817642178072",
"2225411913258838473295721070111101169",
"296027613779064825435650127182881258588",
"10428584084686751497594085372417473259",
"60765175966814283049330151675674849424",
"172488451661173463405388521540108234819",
"165555648076406657260586855310160148056",
"156389612550984822984288542470995215561",
"19205166552913211666236219749101059849",
"113764662193684181107433501197266520164",
"232077847296663125777022671706317788580",
"261364229418147383587229295060962194601",
"7572125529871706314851744329237881393",
"153339685397902309638239306241840844168",
"263673789264563909074336009047477159776",
"70698921272283276267442433731658091847",
"328989979962512982711714966933404743251",
"278865536673587249442214709188796155106",
"312503509878540282351671765826378696566",
"206382339901492735115541279576864411429",
"109709371338708516535248320385763181964",
"231309235394201932337700864283746707943",
"152675896268843314894695432847240050343",
"54089934677915197988218478818842686629",
"117441576048865469208017858824444265073",
"282206608736489744783899777041316377549",
"131763702733221984598969531106545673595",
"48966997720369089976666915478594516800",
"125100413368770914074286519354226041067",
"260370058965327915596631521762821596979",
"170745741133192691675954187357277229298",
"32672297096309986156349637721588161138",
"169070934708745199077391508546925485512",
"169378497082350855231668800990852669228"
],
"threshold": 0.9
},
"target": {
"file": "server/protocol.c"
},
"id": "CVE-2021-33193-505a37e6",
"source": "https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c",
"signature_type": "Line"
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "215428491033119428690843026233414950168",
"length": 2070.0
},
"target": {
"function": "merge_core_server_configs",
"file": "server/core.c"
},
"id": "CVE-2021-33193-6eb5c878",
"source": "https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c",
"signature_type": "Function"
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"227332247329354298314641107288773945366",
"183361740527739775512764340734177836534",
"146057162755454792429935524666013896011",
"338170452333378458283702720663628486245",
"248731936135457239859980360857745960525",
"248421133739355130802783520937681726203",
"239607610381661700651748801220620782360",
"75517057069199102563277637088341937782",
"244297888116859442247504263728804245966",
"203864354109166257116990619265612545030",
"222203675586486931518567947036654601711",
"206320291644989762114256156611877964400",
"258179284149873571169150261877426252907",
"45682717917254505231382489479169091674",
"176904619150264093421829940159282281256",
"152208706633835929662612368786275584243",
"180658310404399041364962936040012599928",
"187283858462473052148380439914372019795",
"322264514491337621943697410317819810504",
"105751748154407944530293337223739838744",
"230560798289150271017993507504043528675",
"184487006945101625959311815516231652961",
"263001078825072052012227600511332679503",
"172365974971050933329260176324262527583",
"214829312181901293248407953000029048177",
"331324316533248686814730304413370911651",
"311560450472957906638070544587400917045",
"101549766358574788796305789975003783447",
"51490748258308951023855883739221879735",
"66287640780298710178027454212337271931",
"332583852830975604904629735314999297242",
"75143360116282108829211552277885652208",
"218785578743524643117336862294154282709",
"66069811532675616185041205562546282957",
"27370502239530104900297502893605202437",
"160926997357578928672573721753492080711",
"39951004672178372736135119601256120223",
"178743794614591053796012228627973125412"
],
"threshold": 0.9
},
"target": {
"file": "server/vhost.c"
},
"id": "CVE-2021-33193-8bae85e0",
"source": "https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c",
"signature_type": "Line"
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"289225306959655499106015251096855510148",
"245348977828474423094334951556693485131",
"86858495870287112506534894103898693768",
"76988723410918074070849926868526807292",
"69900619055833845043563124052426156346",
"170997537028318403483668277350217326046",
"144756528731276726989596342001464031947"
],
"threshold": 0.9
},
"target": {
"file": "include/http_core.h"
},
"id": "CVE-2021-33193-9ec4e039",
"source": "https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c",
"signature_type": "Line"
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "226517842720477420411685650824600001489",
"length": 682.0
},
"target": {
"function": "check_hostalias",
"file": "server/vhost.c"
},
"id": "CVE-2021-33193-a9de118c",
"source": "https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c",
"signature_type": "Function"
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"284523205132419951567089004089827047349",
"176980117406292374599348039040518959222",
"24450999592125777846884762870382568720",
"1991052693178964735960488803030166641"
],
"threshold": 0.9
},
"target": {
"file": "include/http_protocol.h"
},
"id": "CVE-2021-33193-b07af649",
"source": "https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c",
"signature_type": "Line"
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"89840560850598168680009790028081396031",
"304099382736720515146443005313862026717",
"96978841306483597580675266270599030355",
"283112826979492383937317522150408762912",
"205078683593921345491832845855592466848",
"168382667473112043806022694164708303727",
"222555993511620305934124904676830796574",
"289903956130223586396950866121206006480",
"282567750873929577994853645757469648380",
"285589896016843902940114982850004252855",
"243336133882052927727697438194094628770",
"53419925920711408717952591690037931749",
"308581415353344561753534644554303840148",
"127102650257271962268636507507638191714",
"26583771996368177312780046687644381103",
"218719050545253361819105328994456490655",
"279097303162216007053694451229404425906",
"161557903322560769376034921615786706305",
"162201783296394426896482823853820238569",
"152035005343006722597109285643944043758",
"267210938771162949740087601512850773897",
"24394100855479239989950875146901787363",
"148983918831892821100525236226127099545",
"189725206885984405637453120204823479897",
"188805939377747348471276560740944352695",
"152730302710031140623276885316723711744",
"12057928260175523388362444257922295366",
"325094685727961987948474279665949712109",
"267988015050726383229789406717663309385",
"207483087018928932457620947208962935799",
"148567005781699852168790613246091144599",
"82343631520969398051668620251789248814",
"111842247390050410502294872670157281856",
"10924242472976835605170767686368818739",
"84174454785958323169869856192526485979",
"307447797371164170274157642957916812963",
"281047729979283844002834106446156388446",
"308514368120522569478081900290545299149",
"69805901784525601618143333939081718301",
"70174127635930824814876668455718196785",
"203234076100918938636495022942760438215",
"285930343157536831389757126064677153977",
"312295529140600443103095412444407716780",
"171114330794355064827857131863701703467",
"17884897235783820974622947621930971760",
"279329066849053699105886928728465803426",
"218156251394807342999802522869194794512",
"143437972771007319145860402599550628705",
"27126811559194438817523773378939751261",
"165065680497166923907792013388147097167",
"83242616790859530961400025013881959091",
"45989177370302123971553474494681809546",
"36355781973237143008870582254936485083",
"292788350059573098901529923254781188104",
"150014816875297205153393816694723949688",
"213630356428836136811281004911530800278",
"60663561913635988693753478164086607663",
"21030043684262538312105544084764537268",
"126382606569162579644208640532493303017",
"291738589901428612747090227289592918863",
"193850093601531156428750756620375144459",
"221420799214332496252197720407127405785",
"25875269966338149445780818429590168254",
"277554504788476184951903815018312219695",
"71084764522513658112931318187242975935",
"33201208192126134631516781503839169675",
"290151408285613534655945623224737621507",
"258229185044055793592363891282962391822",
"320188452430753615126223527489790148952",
"75539221857763989325286846064377856985",
"96368279401431717240303587428378956023",
"61106248137338598987667066422060545184",
"41760352937686080292159257670119501680",
"323231660268818169227518357768590328606",
"175763268659430191847877330824323991631",
"225193683866976028196670573192445434319",
"132114195719130212197970844242685684005",
"107062082136954775309727231658658731453",
"328989979962512982711714966933404743251",
"306905376750439753473269687184356796589",
"161725257722321213361339799648722239967",
"81039759520402874563429823388535791754",
"80910217156075811660946128805859910761",
"118041511813664650677563154975004232805",
"305407463024304548130196606906410878762",
"308427503684772423539729168206468385829",
"28124441062179235024520285848844134207",
"318931768558187983545283493781007759371"
],
"threshold": 0.9
},
"target": {
"file": "modules/http2/h2_request.c"
},
"id": "CVE-2021-33193-be45e9fc",
"source": "https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c",
"signature_type": "Line"
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "14444904182904435248665821584584540141",
"length": 1194.0
},
"target": {
"function": "create_core_server_config",
"file": "server/core.c"
},
"id": "CVE-2021-33193-c5b77995",
"source": "https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c",
"signature_type": "Function"
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"123798549056537812526543562573591923671",
"206131790062190841054101511644919316089",
"202864321295717470447418938453272908536",
"153396622180940513818015179984478971807",
"336174498130191630430183632067373381886",
"264822548778182401780797971766729617356",
"272555637027767396345917613114770505657"
],
"threshold": 0.9
},
"target": {
"file": "server/core_filters.c"
},
"id": "CVE-2021-33193-d0825caa",
"source": "https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c",
"signature_type": "Line"
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"199676290575885150834466743024196709675",
"168972976034580665564185406588487943216",
"60299870258254124103018396926416930670"
],
"threshold": 0.9
},
"target": {
"file": "include/http_vhost.h"
},
"id": "CVE-2021-33193-d82cd92f",
"source": "https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c",
"signature_type": "Line"
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "266107439484675358905626652605879715703",
"length": 5894.0
},
"target": {
"function": "ap_read_request",
"file": "server/protocol.c"
},
"id": "CVE-2021-33193-dcadf438",
"source": "https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c",
"signature_type": "Function"
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "89776180564904978483028955102045239638",
"length": 1168.0
},
"target": {
"function": "ap_parse_uri",
"file": "server/protocol.c"
},
"id": "CVE-2021-33193-e955704c",
"source": "https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c",
"signature_type": "Function"
}
]