CVE-2021-40438 : A crafted request uri-path can cause mod_proxy to forward the request to an orig

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

Published 2021-09-16 15:15:08

Updated 2025-02-06 21:15:17

Source Apache Software Foundation

View at NVD, CVE.org

Products affected by CVE-2021-40438

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 11.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Matching versions
Apache » Http Server
Versions up to, including, (<=) 2.4.48
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
Matching versions
Oracle » Http Server » Version: 12.2.1.3.0
cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Http Server » Version: 12.2.1.4.0
cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Secure Global Desktop » Version: 5.6
cpe:2.3:a:oracle:secure_global_desktop:5.6:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager Ops Center » Version: 12.4.0.0
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Instantis Enterprisetrack » Version: 17.1
cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
Matching versions
Oracle » Instantis Enterprisetrack » Version: 17.2
cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
Matching versions
Oracle » Instantis Enterprisetrack » Version: 17.3
cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
Matching versions
Oracle » Zfs Storage Appliance Kit » Version: 8.8
cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
Matching versions
Siemens » Sinema Server » Version: 14.0
cpe:2.3:a:siemens:sinema_server:14.0:-:*:*:*:*:*:*
Matching versions
Siemens » Sinema Remote Connect Server
Versions before (<) 3.1
cpe:2.3:a:siemens:sinema_remote_connect_server:*:*:*:*:*:*:*:*
Matching versions
Siemens » Sinema Remote Connect Server » Version: 3.2
cpe:2.3:a:siemens:sinema_remote_connect_server:3.2:*:*:*:*:*:*:*
Matching versions
Siemens » Sinec Nms
Versions before (<) 1.0.3
cpe:2.3:a:siemens:sinec_nms:*:*:*:*:*:*:*:*
Matching versions
Siemens » Ruggedcom Nms
cpe:2.3:a:siemens:ruggedcom_nms:*:*:*:*:*:*:*:*
Matching versions
F5 » F5os
Versions from including (>=) 1.1.0 and up to, including, (<=) 1.1.4
cpe:2.3:o:f5:f5os:*:*:*:*:*:*:*:*
Matching versions
F5 » F5os
Versions from including (>=) 1.2.0 and up to, including, (<=) 1.2.1
cpe:2.3:o:f5:f5os:*:*:*:*:*:*:*:*
Matching versions
Broadcom » Brocade Fabric Operating System Firmware » Version: N/A
cpe:2.3:o:broadcom:brocade_fabric_operating_system_firmware:-:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions
Netapp » Clustered Data Ontap » Version: N/A
cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
Matching versions
Netapp » Cloud Backup » Version: N/A
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
Matching versions
Netapp » Storagegrid » Version: N/A
cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*
Matching versions
Tenable » Tenable.sc
Versions up to, including, (<=) 5.19.1
cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2021-40438

Top countries where our scanners detected CVE-2021-40438

Top open port discovered on systems with this issue 80

IPs affected by CVE-2021-40438 9,451,228

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2021-40438!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

CVE-2021-40438 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Apache HTTP Server-Side Request Forgery (SSRF)

CISA required action:

Apply updates per vendor instructions.

CISA description:

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

Notes:

https://nvd.nist.gov/vuln/detail/CVE-2021-40438

Added on 2021-12-01 Action due date 2021-12-15

Exploit prediction scoring system (EPSS) score for CVE-2021-40438

EPSS FAQ

94.44%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-40438

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.0	CRITICAL	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H	2.2	6.0	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-06
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High
9.0	CRITICAL	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H	2.2	6.0	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-40438

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Assigned by:
- nvd@nist.gov (Primary)
- security@apache.org (Secondary)

References for CVE-2021-40438

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/

[SECURITY] Fedora 34 Update: httpd-2.4.49-1.fc34 - package-announce - Fedora Mailing-Lists
Release Notes

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuapr2022.html

Oracle Critical Patch Update Advisory - April 2022
Patch;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a%40%3Cusers.httpd.apache.org%3E

[users@httpd] Regarding CVE-2021-40438-Apache Mail Archives
Mailing List
https://httpd.apache.org/security/vulnerabilities_24.html

httpd 2.4 vulnerabilities - The Apache HTTP Server Project
Release Notes;Vendor Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpujan2022.html

Oracle Critical Patch Update Advisory - January 2022
Patch;Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html

[SECURITY] [DLA 2776-1] apache2 security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3Cusers.httpd.apache.org%3E

[users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info - Pony Mail
Mailing List;Vendor Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3Cusers.httpd.apache.org%3E

Re: [users@httpd] 2.4.49 security fixes: more info - Pony Mail
Mailing List;Vendor Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3Cusers.httpd.apache.org%3E

Re: [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info - Pony Mail
Mailing List;Vendor Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/202208-20

Apache HTTPD: Multiple Vulnerabilities (GLSA 202208-20) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a@%3Cusers.httpd.apache.org%3E

[users@httpd] Regarding CVE-2021-40438 - Pony Mail
Mailing List;Vendor Advisory
https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E

[users@httpd] 2.4.49 security fixes: more info-Apache Mail Archives
Mailing List
https://security.netapp.com/advisory/ntap-20211008-0004/

September 2021 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3Cusers.httpd.apache.org%3E

[users@httpd] 2.4.49 security fixes: more info - Pony Mail
Mailing List;Vendor Advisory

CVEs referencing this url
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ

Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021
Broken Link;Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2021/dsa-4982

Debian -- Security Information -- DSA-4982-1 apache2
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E

[users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info-Apache Mail Archives
Mailing List
https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E

Re: [users@httpd] 2.4.49 security fixes: more info-Apache Mail Archives
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/

[SECURITY] Fedora 35 Update: httpd-2.4.49-1.fc35 - package-announce - Fedora Mailing-Lists
Release Notes

CVEs referencing this url
https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37@%3Cbugs.httpd.apache.org%3E

[Bug 65616] CVE-2021-36160 regression - Pony Mail
Mailing List;Vendor Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00@%3Cusers.httpd.apache.org%3E

Re: [users@httpd] Regarding CVE-2021-40438 - Pony Mail
Mailing List;Vendor Advisory
https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00%40%3Cusers.httpd.apache.org%3E

Re: [users@httpd] Regarding CVE-2021-40438-Apache Mail Archives
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/

[SECURITY] Fedora 35 Update: httpd-2.4.49-1.fc35 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.tenable.com/security/tns-2021-17

[R1] Stand-alone Security Patch Available for Tenable.sc versions 5.16.0 to 5.19.1: Patch 202110.1 - Security Advisory | Tenable®
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E

Re: [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info-Apache Mail Archives
Mailing List
https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3Cbugs.httpd.apache.org%3E

[Bug 65616] CVE-2021-36160 regression-Apache Mail Archives
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/

[SECURITY] Fedora 34 Update: httpd-2.4.49-1.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf

Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-40438