Login Sign Up

CVE-2021-20215

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Privoxy versions before 3.0.29 involves memory leaks in the show-status CGI handler when memory allocations fail, which can lead to a denial of service (system crash). It affects systems running vulnerable Privoxy versions with the CGI handler enabled. The flaw allows attackers to crash the Privoxy service, disrupting proxy functionality.

💻 Affected Systems

Products:
  • Privoxy
Versions: All versions before 3.0.29
Operating Systems: Linux, Unix-like systems, Windows
Default Config Vulnerable: ⚠️ Yes
Notes: The show-status CGI handler must be enabled and accessible. Default configurations may expose this handler.

📦 What is this software?

Privoxy by Privoxy

View all CVEs affecting Privoxy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could repeatedly trigger the memory leak to cause a complete system crash, resulting in prolonged denial of service for all users relying on Privoxy for web filtering or privacy.

🟠

Likely Case

Targeted attacks causing service disruption through denial of service, potentially affecting web access for users behind the proxy.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to internal service disruption without broader system compromise.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending requests to trigger memory allocation failures in the CGI handler. No authentication is needed if the handler is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.29

Vendor Advisory: https://www.privoxy.org/3.0.29/user-manual/whatsnew.html

Restart Required: Yes

Instructions:

1. Download Privoxy 3.0.29 or later from the official website. 2. Stop the current Privoxy service. 3. Install the updated version. 4. Restart the Privoxy service.

🔧 Temporary Workarounds

Disable show-status CGI handler

all

Prevent access to the vulnerable CGI handler by disabling it in the configuration.

Edit privoxy config file (e.g., /etc/privoxy/config) and comment out or remove lines enabling show-status, such as 'enable-remote-toggle' or 'enable-edit-actions'.

🧯 If You Can't Patch

  • Restrict network access to Privoxy to trusted internal networks only.
  • Implement rate limiting or firewall rules to block excessive requests to the CGI handler.

🔍 How to Verify

Check if Vulnerable:

Check the Privoxy version; if it is earlier than 3.0.29, the system is vulnerable.

Check Version:

privoxy --version

Verify Fix Applied:

Verify the installed version is 3.0.29 or later and test the show-status handler for stability under load.

📡 Detection & Monitoring

Log Indicators:

  • Unusual number of requests to the show-status CGI endpoint
  • Privoxy service crash logs or restarts

Network Indicators:

  • High volume of HTTP requests to Privoxy's CGI paths from single or multiple sources

SIEM Query:

source="privoxy" AND (uri_path="/show-status" OR event="crash")

📊 Metadata

CVE ID: CVE-2021-20215
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-401
Published: March 25, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20215, you might also want to check these:

CVE-2021-40633 8.8

CVE-2021-40633 is a memory leak vulnerability in gif2rgb, a utility in giflib 5.1.4, allowing remote...

Same vulnerability type (CWE-401)
CVE-2021-3492 8.8

CVE-2021-3492 is a kernel vulnerability in Ubuntu's Shiftfs filesystem where improper error handling...

Same vulnerability type (CWE-401)
CVE-2024-25450 8.8

CVE-2024-25450 is a memory allocation vulnerability in imlib2 v1.9.1's init_imlib_fonts() function t...

Same vulnerability type (CWE-401)