8.2

CVE-2021-44224

Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheHTTP Server Version >= 2.4.7 < 2.4.52
FedoraprojectFedora Version34
FedoraprojectFedora Version35
FedoraprojectFedora Version36
DebianDebian Linux Version10.0
DebianDebian Linux Version11.0
TenableTenable.Sc Version >= 5.14.0 < 5.20.0
TenableTenable.Sc Version >= 5.16.0 < 202201.1
OracleHTTP Server Version-
OracleHTTP Server Version12.2.1.3.0
OracleHTTP Server Version12.2.1.4.0
ApplemacOS X Version10.15.7
ApplemacOS X Version10.15.7 Updatesecurity_update_2020-001
ApplemacOS X Version10.15.7 Updatesecurity_update_2021-001
ApplemacOS X Version10.15.7 Updatesecurity_update_2021-002
ApplemacOS X Version10.15.7 Updatesecurity_update_2021-003
ApplemacOS X Version10.15.7 Updatesecurity_update_2021-004
ApplemacOS X Version10.15.7 Updatesecurity_update_2021-005
ApplemacOS X Version10.15.7 Updatesecurity_update_2021-006
ApplemacOS X Version10.15.7 Updatesecurity_update_2021-007
ApplemacOS X Version10.15.7 Updatesecurity_update_2021-008
ApplemacOS X Version10.15.7 Updatesecurity_update_2022-001
ApplemacOS X Version10.15.7 Updatesecurity_update_2022-002
ApplemacOS X Version10.15.7 Updatesecurity_update_2022-003
ApplemacOS Version < 10.15.7
ApplemacOS Version >= 11.0 < 11.6.6
ApplemacOS Version >= 12.0.0 < 12.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 82.3% 0.996
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.2 3.9 4.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
nvd@nist.gov 6.4 10 4.9
AV:N/AC:L/Au:N/C:N/I:P/A:P
CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

http://httpd.apache.org/security/vulnerabilities_24.html
Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Patch
Third Party Advisory
https://security.gentoo.org/glsa/202208-20
Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/35
Third Party Advisory
Mailing List
https://support.apple.com/kb/HT213256
Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/33
Third Party Advisory
Mailing List
http://seclists.org/fulldisclosure/2022/May/38
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2021/12/20/3
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFSWOH4X77CV7AH7C4RMHUBDWKQDL4YH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/
https://security.netapp.com/advisory/ntap-20211224-0001/
Third Party Advisory
https://support.apple.com/kb/HT213255
Third Party Advisory
https://support.apple.com/kb/HT213257
Third Party Advisory
https://www.debian.org/security/2022/dsa-5035
Third Party Advisory
https://www.tenable.com/security/tns-2022-01
Third Party Advisory
https://www.tenable.com/security/tns-2022-03
Third Party Advisory