CVE-2021-41524 (GCVE-0-2021-41524)

Vulnerability from cvelistv5 – Published: 2021-10-05 08:40 – Updated: 2024-08-04 03:15
VLAI
Title
null pointer dereference in h2 fuzzing
Summary
While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.
Severity
No CVSS data available.
CWE
  • CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
Credits
Apache httpd team would like to thank LI ZHI XIN from NSFocus Security Team for reporting this issue.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:15:28.450Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
          },
          {
            "name": "[oss-security] 20211005 CVE-2021-41524: Apache HTTP Server: null pointer dereference in h2 fuzzing",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/10/05/1"
          },
          {
            "name": "FEDORA-2021-5d2d4b6ac5",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSM6UWQICBJ2TU727RENU3HBKEAFLT6T/"
          },
          {
            "name": "20211007 Apache HTTP Server Vulnerabilties: October 2021",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ"
          },
          {
            "name": "FEDORA-2021-f94985afca",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EUVJVRJRBW5QVX4OY3NOHZDQ3B3YOTSG/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20211029-0009/"
          },
          {
            "name": "GLSA-202208-20",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202208-20"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "2.4.49"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache httpd team would like to thank LI ZHI XIN from NSFocus Security Team for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "moderate"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-14T01:07:21.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        },
        {
          "name": "[oss-security] 20211005 CVE-2021-41524: Apache HTTP Server: null pointer dereference in h2 fuzzing",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/10/05/1"
        },
        {
          "name": "FEDORA-2021-5d2d4b6ac5",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSM6UWQICBJ2TU727RENU3HBKEAFLT6T/"
        },
        {
          "name": "20211007 Apache HTTP Server Vulnerabilties: October 2021",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ"
        },
        {
          "name": "FEDORA-2021-f94985afca",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EUVJVRJRBW5QVX4OY3NOHZDQ3B3YOTSG/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20211029-0009/"
        },
        {
          "name": "GLSA-202208-20",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202208-20"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2021-09-17T00:00:00.000Z",
          "value": "reported by Gerald Lee"
        },
        {
          "lang": "en",
          "time": "2021-09-26T00:00:00.000Z",
          "value": "fixed by r1893655 in 2.4.x"
        }
      ],
      "title": "null pointer dereference in h2 fuzzing",
      "workarounds": [
        {
          "lang": "en",
          "value": "Disable the HTTP/2 protocol."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-41524",
          "STATE": "PUBLIC",
          "TITLE": "null pointer dereference in h2 fuzzing"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache HTTP Server",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "2.4.49"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Apache httpd team would like to thank LI ZHI XIN from NSFocus Security Team for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "moderate"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-476 NULL Pointer Dereference"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://httpd.apache.org/security/vulnerabilities_24.html",
              "refsource": "MISC",
              "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
            },
            {
              "name": "[oss-security] 20211005 CVE-2021-41524: Apache HTTP Server: null pointer dereference in h2 fuzzing",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/10/05/1"
            },
            {
              "name": "FEDORA-2021-5d2d4b6ac5",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DSM6UWQICBJ2TU727RENU3HBKEAFLT6T/"
            },
            {
              "name": "20211007 Apache HTTP Server Vulnerabilties: October 2021",
              "refsource": "CISCO",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ"
            },
            {
              "name": "FEDORA-2021-f94985afca",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EUVJVRJRBW5QVX4OY3NOHZDQ3B3YOTSG/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20211029-0009/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20211029-0009/"
            },
            {
              "name": "GLSA-202208-20",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202208-20"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        },
        "timeline": [
          {
            "lang": "en",
            "time": "2021-09-17T00:00:00.000Z",
            "value": "reported by Gerald Lee"
          },
          {
            "lang": "en",
            "time": "2021-09-26T00:00:00.000Z",
            "value": "fixed by r1893655 in 2.4.x"
          }
        ],
        "work_around": [
          {
            "lang": "en",
            "value": "Disable the HTTP/2 protocol."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-41524",
    "datePublished": "2021-10-05T08:40:11.000Z",
    "dateReserved": "2021-09-20T00:00:00.000Z",
    "dateUpdated": "2024-08-04T03:15:28.450Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2021-41524",
      "date": "2026-05-29",
      "epss": "0.03961",
      "percentile": "0.88562"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-41524\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2021-10-05T09:15:07.427\",\"lastModified\":\"2024-11-21T06:26:20.867\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.\"},{\"lang\":\"es\",\"value\":\"Mientras se realizaba el fuzzing del httpd versi\u00f3n 2.4.49, se detect\u00f3 una nueva desreferencia de puntero null durante el procesamiento de peticiones HTTP/2, permitiendo a una fuente externa hacer DoS al servidor. Esto requiere una petici\u00f3n especialmente dise\u00f1ada. La vulnerabilidad fue introducida recientemente en la versi\u00f3n 2.4.49. No se conoce ninguna explotaci\u00f3n en el proyecto\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B201CFB2-F626-4DD0-9F6A-DFE8F64203E2\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A930E247-0B43-43CB-98FF-6CE7B8189835\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"82EA4BA7-C38B-4AF3-8914-9E3D089EBDD4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B9C9BC66-FA5F-4774-9BDA-7AB88E2839C4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F69B9A5-F21B-4904-9F27-95C0F7A628E3\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C2089EE-5D7F-47EC-8EA5-0F69790564C4\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2021/10/05/1\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://httpd.apache.org/security/vulnerabilities_24.html\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSM6UWQICBJ2TU727RENU3HBKEAFLT6T/\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EUVJVRJRBW5QVX4OY3NOHZDQ3B3YOTSG/\",\"source\":\"security@apache.org\"},{\"url\":\"https://security.gentoo.org/glsa/202208-20\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20211029-0009/\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"security@apache.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/10/05/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://httpd.apache.org/security/vulnerabilities_24.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSM6UWQICBJ2TU727RENU3HBKEAFLT6T/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EUVJVRJRBW5QVX4OY3NOHZDQ3B3YOTSG/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202208-20\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20211029-0009/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.