Login Sign Up

CVE-2021-33193

7.5 HIGH

📋 TL;DR

CVE-2021-33193 is an HTTP/2 request smuggling vulnerability in Apache HTTP Server's mod_proxy module. Attackers can send specially crafted HTTP/2 requests that bypass validation, potentially leading to request splitting or cache poisoning attacks. This affects Apache HTTP Server versions 2.4.17 through 2.4.48 when mod_proxy is enabled with HTTP/2 support.

💻 Affected Systems

Products:
  • Apache HTTP Server
Versions: 2.4.17 to 2.4.48
Operating Systems: All operating systems running affected Apache versions
Default Config Vulnerable: ✅ No
Notes: Requires mod_proxy to be enabled with HTTP/2 support. Not vulnerable if using HTTP/1.1 only or if mod_proxy is disabled.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Http Server by Apache

View all CVEs affecting Http Server →

Secure Backup by Oracle

View all CVEs affecting Secure Backup →

Tenable.sc by Tenable

View all CVEs affecting Tenable.sc →

Zfs Storage Appliance Kit by Oracle

View all CVEs affecting Zfs Storage Appliance Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could poison proxy caches to serve malicious content to users, perform request splitting to bypass security controls, or conduct web cache deception attacks.

🟠

Likely Case

Cache poisoning leading to users receiving malicious content or request smuggling that bypasses security filters.

🟢

If Mitigated

Limited impact with proper network segmentation, WAF protection, and disabled HTTP/2 on proxy servers.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires sending crafted HTTP/2 requests to vulnerable proxy servers. Public proof-of-concept exists in security research publications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.49 and later

Vendor Advisory: https://httpd.apache.org/security/vulnerabilities_24.html

Restart Required: Yes

Instructions:

1. Download Apache HTTP Server 2.4.49 or later from https://httpd.apache.org/download.cgi
2. Stop Apache service
3. Backup configuration files
4. Install new version
5. Restart Apache service

🔧 Temporary Workarounds

Disable HTTP/2 for mod_proxy

all

Configure Apache to use HTTP/1.1 only for proxy connections

# In httpd.conf or proxy configuration:
Protocols http/1.1

Disable mod_proxy if not needed

all

Remove or comment out mod_proxy modules if reverse proxy functionality is not required

# In httpd.conf:
# Comment out or remove:
# LoadModule proxy_module modules/mod_proxy.so
# LoadModule proxy_http_module modules/mod_proxy_http.so

🧯 If You Can't Patch

  • Implement a Web Application Firewall (WAF) with HTTP/2 request validation rules
  • Use network segmentation to isolate proxy servers from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check Apache version and mod_proxy configuration: httpd -v and verify mod_proxy is loaded with HTTP/2 support

Check Version:

httpd -v

Verify Fix Applied:

Verify Apache version is 2.4.49 or later: httpd -v | grep 'Apache/2\.4\.'

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP/2 request patterns
  • Malformed HTTP headers in proxy logs
  • Cache poisoning attempts in access logs

Network Indicators:

  • HTTP/2 requests with unusual method sequences
  • Requests that trigger proxy validation bypass

SIEM Query:

source="apache_access" AND (http_version="HTTP/2" AND (status=400 OR status=500)) AND uri CONTAINS "proxy"

📊 Metadata

CVE ID: CVE-2021-33193
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Published: August 16, 2021
Last Updated: May 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON