Home > Vulnerability Database > CVE-2021-31618

Mend.io Vulnerability Database

CVE-2021-31618

Good to know:

Date: June 14, 2021

Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never released.

Language: C

Severity Score

7.5

Related Resources (23)

Url: https://security.archlinux.org/CVE-2021-31618

Url: https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html

Url: http://www.openwall.com/lists/oss-security/2024/03/13/2

Url: https://seclists.org/oss-sec/2021/q2/206

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A73QJ4HPUMU26I6EULG6SCK67TUEXZYR/

Url: http://www.openwall.com/lists/oss-security/2021/06/10/9

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A73QJ4HPUMU26I6EULG6SCK67TUEXZYR/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NKJ3ZA3FTSZ2QBBPKS6BYGAWYRABNQQ/

Url: https://security.alpinelinux.org/vuln/CVE-2021-31618

Url: http://httpd.apache.org/security/vulnerabilities_24.html

Url: https://lists.apache.org/thread.html/r783b6558abf3305b17ea462bed4bd66d82866438999bf38cef6d11d1@%3Ccvs.httpd.apache.org%3E

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NKJ3ZA3FTSZ2QBBPKS6BYGAWYRABNQQ/

Url: https://lists.apache.org/thread.html/r14b66ef0f4f569fd515a3f96cd4eb58bd9a8ff525cc326bb0359664f@%3Ccvs.httpd.apache.org%3E

Url: https://security.gentoo.org/glsa/202107-38

Url: https://www.debian.org/security/2021/dsa-4937

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-31618

Url: https://security.netapp.com/advisory/ntap-20210727-0008/

Url: https://github.com/apache/httpd/commit/f990e5ecad40b100a8a5c7c1033c46044a9cb244

Url: https://lists.apache.org/thread.html/r783b6558abf3305b17ea462bed4bd66d82866438999bf38cef6d11d1%40%3Ccvs.httpd.apache.org%3E

Url: https://www.oracle.com/security-alerts/cpuoct2021.html

Url: https://security-tracker.debian.org/tracker/CVE-2021-31618

Url: https://lists.apache.org/thread.html/r14b66ef0f4f569fd515a3f96cd4eb58bd9a8ff525cc326bb0359664f%40%3Ccvs.httpd.apache.org%3E

Url: https://www.mend.io/vulnerability-database/CVE-2021-31618

Severity Score

7.5

Weakness Type (CWE)

NULL Pointer Dereference

CWE-476

Top Fix

Upgrade Version

Upgrade to version 2.4.48

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-31618

Good to know:

Date: June 14, 2021

Language: C

Severity Score

Related Resources (23)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?