Login Sign Up

CVE-2021-41732

7.5 HIGH

📋 TL;DR

CVE-2021-41732 is an HTTP request splitting vulnerability in Zeek 4.1.0 that allows attackers to manipulate HTTP traffic analysis by injecting malicious content into HTTP requests. This affects organizations using Zeek for network security monitoring and HTTP-based security analysis. The vendor considers this intended behavior rather than a vulnerability.

💻 Affected Systems

Products:
  • Zeek (formerly Bro)
Versions: 4.1.0 only
Operating Systems: All platforms running Zeek
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects HTTP protocol analysis. The vendor maintains this is intended behavior for handling malformed HTTP requests.

📦 What is this software?

Zeek by Zeek

View all CVEs affecting Zeek →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass Zeek's HTTP security analysis entirely, allowing malicious traffic to go undetected while appearing legitimate in security logs.

🟠

Likely Case

HTTP-based security alerts and analysis become unreliable, potentially missing actual threats or generating false positives.

🟢

If Mitigated

With proper network segmentation and additional security controls, the impact is limited to potential gaps in HTTP traffic analysis.

🌐 Internet-Facing: MEDIUM - Affects monitoring of internet-facing HTTP traffic but doesn't directly compromise systems.
🏢 Internal Only: MEDIUM - Impacts internal security monitoring and analysis of HTTP communications.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires ability to send crafted HTTP requests to monitored network segments. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://github.com/zeek/zeek/issues/1798

Restart Required: No

Instructions:

No official patch as vendor considers this intended behavior. Consider upgrading to newer versions for other improvements.

🔧 Temporary Workarounds

Disable HTTP protocol analysis

all

Remove or disable Zeek's HTTP protocol analyzer to prevent the vulnerability from being triggered

Edit local.zeek to remove @load policy/protocols/http

Use alternative HTTP monitoring

all

Supplement Zeek with alternative HTTP traffic analysis tools

🧯 If You Can't Patch

  • Implement network segmentation to limit exposure of Zeek monitoring interfaces
  • Deploy additional HTTP security monitoring solutions to compensate for potential Zeek analysis gaps

🔍 How to Verify

Check if Vulnerable:

Check Zeek version: zeek --version. If version is exactly 4.1.0 and HTTP analysis is enabled, system is affected.

Check Version:

zeek --version

Verify Fix Applied:

Verify HTTP analysis is disabled or alternative monitoring is in place. No official fix exists.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP request patterns, malformed HTTP headers in Zeek logs
  • Gaps in HTTP traffic analysis logs

Network Indicators:

  • HTTP requests with crafted headers designed to split requests
  • Inconsistent HTTP traffic patterns

SIEM Query:

source="zeek" http.* AND (header_manipulation OR request_splitting)

📊 Metadata

CVE ID: CVE-2021-41732
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-444
Published: September 29, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41732, you might also want to check these:

CVE-2022-22536 10.0

CVE-2022-22536 is a critical HTTP request smuggling vulnerability in multiple SAP components that al...

Same vulnerability type (CWE-444)
CVE-2025-55315 9.9

CVE-2025-55315 is an HTTP request smuggling vulnerability in ASP.NET Core that allows an authenticat...

Same vulnerability type (CWE-444)
CVE-2023-29141 9.8

This vulnerability in MediaWiki allows attackers to trigger automatic IP blocking by manipulating th...

Same vulnerability type (CWE-444)