CVE-2021-44224: A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward…

high8.2CVSS 3.1

AVNACLPRNUINSUCNILAH

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).

Affected

31 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	http_server	>= 2.4.7 < 2.4.52	2.4.52
apache_software_foundation	apache_http_server	>= 2.4.7 < Apache HTTP Server 2.4*	Apache HTTP Server 2.4*
apple	mac_os_x	—	—
apple	macos	< 10.15.7	10.15.7
apple	macos	>= 11.0 < 11.6.6	11.6.6
apple	macos	>= 12.0.0 < 12.4	12.4
apple	macos_big_sur	—	—
apple	macos_monterey	—	—
apple	security_update_2022-004_catalina	—	—
debian	apache2	< apache2 2.4.52-1 (bookworm)	apache2 2.4.52-1 (bookworm)
debian	debian_linux	—	—
debian	debian_linux	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
msrc	cbl2_httpd_2.4.52-1_on_cbl_mariner_2.0	—	—
msrc	cm1_httpd_2.4.52-1_on_cbl_mariner_1.0	—	—
oracle	communications_element_manager	< 9.0	9.0
oracle	communications_operations_monitor	—	—
oracle	communications_operations_monitor	—	—
oracle	communications_operations_monitor	—	—
oracle	communications_operations_monitor	—	—
oracle	communications_session_report_manager	< 9.0	9.0
oracle	communications_session_route_manager	< 9.0	9.0
oracle	http_server	—	—

CVSS provenance

nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

osv8.2HIGH