A Server-Side Request Forgery (SSRF) flaw was found in mod_proxy of httpd. This flaw allows a remote, unauthenticated attacker to make the httpd server forward requests to an arbitrary server. The attacker could get, modify, or delete resources on other services that may be behind a firewall and inaccessible otherwise. The impact of this flaw varies based on what services and resources are available on the httpd network.

Mitigation

Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.

References

bugzilla.redhat.com/show_bug.cgi?id=2005117

nvd.nist.gov/vuln/detail/CVE-2021-40438

www.cve.org/CVERecord?id=CVE-2021-40438

cisa_kev 1

osv 13

nessus 57

redhat 9

ibm 12

cnvd 1

f5 1

oraclelinux 2

centos 1

githubexploit 8

openvas 33

checkpoint_advisories 1

rocky 3

prion 2

debiancve 2

rapid7blog 1

alpinelinux 1

cbl_mariner 2

cvelist 2

ubuntucve 2

httpd 1

almalinux 3

veracode 1

hackerone 1

nuclei 1

nvd 2

cve 2

attackerkb 1

ubuntu 4

debian 2

ics 2

redhatcve 1

photon 5

suse 2

freebsd 1

mageia 1

cisco 1

trellix 2

altlinux 2

kaspersky 1

slackware 1

cisa 1

rosalinux 2

amazon 2

fedora 2

gentoo 1

cisa_kev

Apache HTTP Server-Side Request Forgery (SSRF)

2021-12-01 00:00:00

osv

BIT-apache-2021-40438

2024-03-06 10:55:02

httpd:2.4 bug fix update

2021-11-10 09:00:43

CVE-2021-40438

2021-09-16 15:15:07

nessus

RHEL 7 : httpd24-httpd (RHSA-2021:3754)

2021-10-12 00:00:00

Oracle Linux 7 : httpd (ELSA-2021-3856)

2021-10-15 00:00:00

Apache < 2.4.49 Multiple Vulnerabilities

2021-09-23 00:00:00

redhat

(RHSA-2021:3836) Important: httpd:2.4 security update

2021-10-13 07:08:32

(RHSA-2021:3746) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP9 security update

2021-10-07 13:31:45

(RHSA-2021:3856) Important: httpd security update

2021-10-14 08:00:40

ibm

Security Bulletin: Apache HTTP Server as used in IBM QRadar SIEM is vulnerable to server-side request forgery (SSRF) (CVE-2021-40438)

2021-12-20 21:02:58

Security Bulletin: IBM Aspera Orchestrator vulnerable to server-side request forgery due to Apache HTTP Server vulnerability (CVE-2021-40438)

2023-02-02 17:18:50

Security Bulletin: IBM Aspera Faspex 4.4.1 and earlier has addressed an Apache vulnerabilitiy (CVE-2021-40438)

2022-09-07 23:29:54

cnvd

Apache HTTP Server mod_proxy server-side request forgery vulnerability

2021-09-18 00:00:00

K01552024 : Apache vulnerability CVE-2021-40438

2021-10-21 00:00:00

oraclelinux

httpd security update

2021-10-14 00:00:00

httpd:2.4 security update

2021-10-13 00:00:00

centos

httpd, mod_ldap, mod_proxy_html, mod_session, mod_ssl security update

2021-11-17 14:59:00

githubexploit

Exploit for Server-Side Request Forgery in Apache Http Server

2023-12-12 11:56:23

Exploit for Server-Side Request Forgery in Apache Http Server

2022-04-03 15:24:24

Exploit for Server-Side Request Forgery in Apache Http Server

2024-05-19 11:04:58

openvas

CentOS: Security Advisory for httpd (CESA-2021:3856)

2021-11-18 00:00:00

Debian: Security Advisory (DLA-2776-1)

2021-10-03 00:00:00

SUSE: Security Advisory (SUSE-SU-2021:3299-1)

2021-10-07 00:00:00

checkpoint_advisories

Apache HTTP Server Server-Side Request Forgery (CVE-2021-40438)

2021-10-18 00:00:00

rocky

2.4 bug fix update

2021-11-10 09:00:43

httpd:2.4 security update

2021-10-12 15:53:03

httpd:2.4 security update

2021-11-09 19:25:44

prion

Design/Logic Flaw

2021-09-16 15:15:00

Design/Logic Flaw

2022-02-18 18:15:00

debiancve

CVE-2021-40438

2021-09-16 15:15:07

CVE-2021-20325

2022-02-18 18:15:09

rapid7blog

Active Exploitation of Apache HTTP Server CVE-2021-40438

2021-11-30 17:38:53

alpinelinux

CVE-2021-40438

2021-09-16 15:15:07

cbl_mariner

CVE-2021-40438 affecting package httpd for versions less than 2.4.52-1

2022-04-09 06:51:57

CVE-2021-40438 affecting package httpd 2.4.46-6

2021-10-15 04:46:31

cvelist

CVE-2021-40438 mod_proxy SSRF

2021-09-16 14:40:23

CVE-2021-20325

2022-02-18 17:50:47

ubuntucve

CVE-2021-40438

2021-09-16 00:00:00

CVE-2021-20325

2022-02-18 00:00:00

httpd

Apache Httpd < 2.4.49 : mod_proxy SSRF

2021-09-16 00:00:00

almalinux

httpd:2.4 bug fix update

2021-11-10 09:00:43

Important: httpd:2.4 security update

2021-10-12 15:53:03

Important: httpd:2.4 security update

2021-11-09 19:25:44

veracode

Cross-Site Request Forgery (CSRF)

2021-09-20 12:57:14

hackerone

Acronis: CVE-2021-40438 on cp-eu2.acronis.com

2021-10-15 05:46:15

nuclei

Apache <= 2.4.48 Mod_Proxy - Server-Side Request Forgery

2021-10-14 19:59:52

nvd

CVE-2021-40438

2021-09-16 15:15:07

CVE-2021-20325

2022-02-18 18:15:09

cve

CVE-2021-40438

2021-09-16 15:15:07

CVE-2021-20325

2022-02-18 18:15:09

attackerkb

CVE-2021-40438

2021-09-16 00:00:00

ubuntu

Apache HTTP Server vulnerabilities

2021-09-27 00:00:00

Apache HTTP Server regression

2021-09-28 00:00:00

Apache HTTP Server regression

2021-09-28 00:00:00

debian

[SECURITY] [DLA 2776-1] apache2 security update

2021-10-02 16:07:56

[SECURITY] [DSA 4982-1] apache2 security update

2021-10-08 20:56:04

ics

Siemens Apache HTTP Server (Update A)

2022-10-13 12:00:00

2022 Top Routinely Exploited Vulnerabilities

2023-08-03 12:00:00

redhatcve

CVE-2021-20325

2021-11-09 09:06:32

photon

Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2021-1.0-0437

2021-10-01 00:00:00

Critical Photon OS Security Update - PHSA-2021-0309

2021-10-01 00:00:00

Critical Photon OS Security Update - PHSA-2021-0437

2021-10-01 00:00:00

suse

Security update for apache2 (important)

2021-10-26 00:00:00

Security update for apache2 (important)

2021-11-02 00:00:00

freebsd

Apache httpd -- multiple vulnerabilities

2021-09-16 00:00:00

mageia

Updated apache packages fix security vulnerability

2021-09-23 07:49:29

cisco

Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021

2021-11-24 16:00:00

trellix

The Bug Report – October Edition

2021-11-02 00:00:00

The Bug Report – October Edition

2021-11-02 00:00:00

altlinux

Security fix for the ALT Linux 10 package apache2 version 1:2.4.49-alt1

2021-10-04 00:00:00

Security fix for the ALT Linux 9 package apache2 version 1:2.4.49-alt1

2021-09-23 00:00:00

kaspersky

KLA12370 Multiple vulnerabilities in Apache HTTP Server

2021-09-16 00:00:00

slackware

[slackware-security] httpd

2021-09-17 04:22:20

cisa

CISA Adds Five Known Exploited Vulnerabilities to Catalog

2021-12-01 00:00:00

rosalinux

Advisory ROSA-SA-2023-2158

2023-04-25 11:30:17

Advisory ROSA-SA-2023-2160

2023-04-25 12:02:31

amazon

Important: httpd

2021-10-15 07:57:00

Important: httpd24

2021-10-15 07:52:00

fedora

[SECURITY] Fedora 35 Update: httpd-2.4.49-1.fc35

2021-09-24 20:56:12

[SECURITY] Fedora 34 Update: httpd-2.4.49-1.fc34

2021-09-20 13:58:04

gentoo

Apache HTTPD: Multiple Vulnerabilities

2022-08-14 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

0.974 High

EPSS

Percentile

99.9%

JSON

Related for RH:CVE-2021-40438