Login Sign Up

CVE-2021-20213

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Privoxy allows a denial-of-service attack when specific conditions are met. If accept-intercepted-requests is enabled and Privoxy fails to parse the Host header while memory allocation fails, it dereferences a NULL pointer causing a crash. This affects Privoxy users with accept-intercepted-requests enabled in versions before 3.0.29.

💻 Affected Systems

Products:
  • Privoxy
Versions: All versions before 3.0.29
Operating Systems: All operating systems running Privoxy
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when accept-intercepted-requests is enabled in configuration

📦 What is this software?

Privoxy by Privoxy

View all CVEs affecting Privoxy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of Privoxy proxy, causing loss of proxy functionality for all users

🟠

Likely Case

Intermittent crashes of Privoxy service requiring manual restart

🟢

If Mitigated

No impact if accept-intercepted-requests is disabled or proper version is used

🌐 Internet-Facing: MEDIUM - Internet-facing Privoxy instances with accept-intercepted-requests enabled could be targeted for DoS
🏢 Internal Only: LOW - Internal-only instances have limited attack surface and lower impact

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Requires specific configuration (accept-intercepted-requests enabled) and conditions (failed Host header parsing with memory allocation failure)

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.29 and later

Vendor Advisory: https://www.privoxy.org/3.0.29/user-manual/whatsnew.html

Restart Required: Yes

Instructions:

1. Download Privoxy 3.0.29 or later from privoxy.org 2. Stop Privoxy service 3. Install new version 4. Restart Privoxy service

🔧 Temporary Workarounds

Disable accept-intercepted-requests

all

Disable the vulnerable configuration option to prevent exploitation

Edit privoxy config file and set: accept-intercepted-requests 0
Restart privoxy: systemctl restart privoxy

🧯 If You Can't Patch

  • Disable accept-intercepted-requests in configuration
  • Implement network segmentation to limit access to Privoxy instances

🔍 How to Verify

Check if Vulnerable:

Check Privoxy version and configuration: privoxy --version and verify accept-intercepted-requests setting

Check Version:

privoxy --version

Verify Fix Applied:

Verify version is 3.0.29 or later: privoxy --version

📡 Detection & Monitoring

Log Indicators:

  • Privoxy crash logs
  • Segmentation fault errors in system logs
  • Unexpected service restarts

Network Indicators:

  • Sudden loss of proxy connectivity
  • HTTP requests failing to proxy

SIEM Query:

source="privoxy.log" AND ("segmentation fault" OR "crash" OR "NULL pointer")

📊 Metadata

CVE ID: CVE-2021-20213
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-476
Published: March 25, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20213, you might also want to check these:

CVE-2022-36648 10.0

This CVE describes a vulnerability in QEMU's hardware emulation where a malformed program executed i...

Same vulnerability type (CWE-476)
CVE-2022-30592 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) before version 3.1.0 involves improper handling of MAX...

Same vulnerability type (CWE-476)
CVE-2023-47003 9.8

A NULL pointer dereference vulnerability in RedisGraph allows attackers to execute arbitrary code or...

Same vulnerability type (CWE-476)