Error in the affected Software/OS description?


I got the Apache HTTP Server < 2.4.48 NULL Pointer Dereference Vulnerability - Linux (OID: in my last scan regarding CVE-2021-31618.

In the description for affected Software/OS it says that all Apache HTTP Servers before version 2.4.48 on Linux are vulnerable. However, NVD states the following: “This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only”.

Is this something that could be updated?


and welcome to this community forum.

It seems this is not actual a “real” error as the vendor initially stated that <= 2.4.47 is affected like seen on the initial published advisory page here:

an the VT has been created back then in 2021 based on that published version info.

So technically speaking it actually was correct based on the available info back then.

But in this specific case the vendor probably had corrected the wrongly published version info in the meantime without any additional follow-up announcement or marking the done update as such (on that page) so it can always happen that required updates are not getting noticed. :-/

Nonetheless the VT in question can be indeed updated based on the newly available info, this will happen in the next few days.


One additional important note:

The VT in question has a “low” ( < 70 %) Quality of Detection (QoD) not showing up by default in reports. While the VT could be updated please be aware that using a non-default filter will show VTs which are generally more false positive prone.

More reading about the QoD concept is available at the 11.2.6 Quality of Detection Concept section of the manual.


Thanks for the fast reply. I am currently doing my bachelor thesis and are investigating vulnerabilities with low QoDs found in a company network. Interesting to see how many of them that are actually real vulnerabilities and not just false positives. I will probably ask more questions in the near future if something else catches my eye:)


Oh, and strange enough oss-security - Re: CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request even says:

in fact it was fixed in 2.4.47

while Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project actually says:

This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only
Affects 2.4.47

One of the many pitfalls with (automated) vulnerability scanning, the results can be only as good as the vendor is publishing reliable info on the affected and fixed versions :frowning:


Two short additional notes: