⚠ Actively exploited
Added to CISA KEV on 2021-12-01. Federal agencies required to patch by 2021-12-15. Required action: Apply updates per vendor instructions..
CVE-2021-40438
Severity
9.0CRITICAL
EPSS
94.4%
top 0.01%
CISA KEV
KEV
Added 2021-12-01
Due 2021-12-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedSep 16
KEV addedDec 1
KEV dueDec 15
Latest updateJul 13
CISA Required Action: Apply updates per vendor instructions.
Description
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 2.2 | Impact: 6.0
Affected Packages18 packages
Also affects: Rocky Linux 8.0, Debian Linux 10.0, 11.0, 9.0, Fedora 34, 35, Enterprise Linux 8.0, 8.1, 8.2, 8.4, 8.6, 8.8, 7.0, 7.2, 7.3, 7.4, 7.6, 7.7
Patches
🔴Vulnerability Details
4GHSA▶
GHSA-rwxq-58vm-3v2j: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user↗2022-05-24
OSV▶
CVE-2021-40438: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user↗2021-09-16
💥Exploits & PoCs
1Nuclei▶
Apache <= 2.4.48 Mod_Proxy - Server-Side Request Forgery
🔍Detection Rules
1📋Vendor Advisories
11Oracle▶
Oracle Oracle Enterprise Manager Risk Matrix: User Interface (Apache HTTP Server) — CVE-2021-40438↗2022-04-15
Oracle▶
Oracle Oracle Fusion Middleware Risk Matrix: OSSL Module (Apache HTTP Server) — CVE-2021-40438↗2022-01-15
Cisco
▶
Red Hat▶
httpd: Regression of CVE-2021-40438 and CVE-2021-26691 fixes in Red Hat Enterprise Linux 8.5↗2021-11-09