CVE-2021-40438

Warnung

EPSS 94.43%
Veröffentlicht 16.09.2021 15:15:07
Zuletzt bearbeitet 16.05.2025 15:27:13
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

Betroffene Produkte Warnungen 1 Metriken 4 CWE 1 Referenzen 22

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Resf ≫ Rocky Linux Version8.0

Redhat ≫ Jboss Core Services Version1.0

Redhat ≫ Enterprise Linux Version7.0
Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Software Collections Version1.0

Redhat ≫ Enterprise Linux Server Version7.0
Redhat ≫ Enterprise Linux Server Workstation Version7.0

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Enterprise Linux Eus Version8.1

Redhat ≫ Enterprise Linux Eus Version8.2

Redhat ≫ Enterprise Linux Eus Version8.4

Redhat ≫ Enterprise Linux Eus Version8.6

Redhat ≫ Enterprise Linux Eus Version8.8

Redhat ≫ Enterprise Linux For Arm 64 Version8.0

Redhat ≫ Enterprise Linux For Arm 64 Eus Version8.6

Redhat ≫ Enterprise Linux For Arm 64 Eus Version8.8

Redhat ≫ Enterprise Linux For Ibm Z Systems Version7.0_s390x

Redhat ≫ Enterprise Linux For Ibm Z Systems Version8.0

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version8.1

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version8.4

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version8.8

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus S390x Version8.2

Redhat ≫ Enterprise Linux For Power Big Endian Version7.0

Redhat ≫ Enterprise Linux For Power Little Endian Version7.0

Redhat ≫ Enterprise Linux For Power Little Endian Version8.0

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version8.1

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version8.2

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version8.4

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version8.6

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version8.8

Redhat ≫ Enterprise Linux For Scientific Computing Version7.0

Redhat ≫ Enterprise Linux Server Version7.0

Redhat ≫ Enterprise Linux Server Aus Version7.2

Redhat ≫ Enterprise Linux Server Aus Version7.3

Redhat ≫ Enterprise Linux Server Aus Version7.4

Redhat ≫ Enterprise Linux Server Aus Version7.6

Redhat ≫ Enterprise Linux Server Aus Version7.7

Redhat ≫ Enterprise Linux Server Aus Version8.2

Redhat ≫ Enterprise Linux Server Aus Version8.4

Redhat ≫ Enterprise Linux Server Aus Version8.6

Redhat ≫ Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Version7.6

Redhat ≫ Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Version7.7

Redhat ≫ Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Version8.1

Redhat ≫ Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Version8.2

Redhat ≫ Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Version8.4

Redhat ≫ Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Version8.6

Redhat ≫ Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Version8.8

Redhat ≫ Enterprise Linux Server Tus Version7.6

Redhat ≫ Enterprise Linux Server Tus Version7.7

Redhat ≫ Enterprise Linux Server Tus Version8.2

Redhat ≫ Enterprise Linux Server Tus Version8.4

Redhat ≫ Enterprise Linux Server Tus Version8.6

Redhat ≫ Enterprise Linux Server Tus Version8.8

Redhat ≫ Enterprise Linux Server Update Services For Sap Solutions Version7.6

Redhat ≫ Enterprise Linux Server Update Services For Sap Solutions Version7.7

Redhat ≫ Enterprise Linux Update Services For Sap Solutions Version8.1

Redhat ≫ Enterprise Linux Update Services For Sap Solutions Version8.2

Redhat ≫ Enterprise Linux Update Services For Sap Solutions Version8.4

Redhat ≫ Enterprise Linux Update Services For Sap Solutions Version8.6

Redhat ≫ Enterprise Linux Update Services For Sap Solutions Version8.8

Redhat ≫ Enterprise Linux Workstation Version7.0

Apache ≫ HTTP Server Version <= 2.4.48

Fedoraproject ≫ Fedora Version34

Fedoraproject ≫ Fedora Version35

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

Netapp ≫ Cloud Backup Version-

Netapp ≫ Clustered Data Ontap Version-

Netapp ≫ Storagegrid Version-

Broadcom ≫ Brocade Fabric Operating System Firmware Version-

F5 ≫ F5os Version >= 1.1.0 <= 1.1.4

F5 ≫ F5os Version >= 1.2.0 <= 1.2.1

Oracle ≫ Enterprise Manager Ops Center Version12.4.0.0

Oracle ≫ HTTP Server Version12.2.1.3.0

Oracle ≫ HTTP Server Version12.2.1.4.0

Oracle ≫ Instantis Enterprisetrack Version17.1

Oracle ≫ Instantis Enterprisetrack Version17.2

Oracle ≫ Instantis Enterprisetrack Version17.3

Oracle ≫ Secure Global Desktop Version5.6

Oracle ≫ Zfs Storage Appliance Kit Version8.8

Siemens ≫ Ruggedcom Nms

Siemens ≫ Sinec Nms Version < 1.0.3

Siemens ≫ Sinema Remote Connect Server Version < 3.1

Siemens ≫ Sinema Remote Connect Server Version3.2

Siemens ≫ Sinema Server Version14.0 Update-

Tenable ≫ Tenable.Sc Version <= 5.19.1

01.12.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache HTTP Server-Side Request Forgery (SSRF)

Schwachstelle

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	94.43%	1

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9	2.2	6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0	9	2.2	6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://httpd.apache.org/security/vulnerabilities_24.html

Vendor Advisory

Release Notes

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/

Release Notes

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/