A crafted request uri-path can cause mod_proxy to forward the request to an
origin server choosen by the remote user. This issue affects Apache HTTP
Server 2.4.48 and earlier.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchapache2< 2.4.29-1ubuntu4.18UNKNOWN
ubuntu20.04noarchapache2< 2.4.41-4ubuntu3.6UNKNOWN
ubuntu21.04noarchapache2< 2.4.46-4ubuntu1.3UNKNOWN
ubuntu21.10noarchapache2< 2.4.48-3.1ubuntu2UNKNOWN
ubuntu22.04noarchapache2< 2.4.48-3.1ubuntu2UNKNOWN
ubuntu16.04noarchapache2< 2.4.18-2ubuntu3.17+esm3UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	apache2	< 2.4.29-1ubuntu4.18	UNKNOWN
ubuntu	20.04	noarch	apache2	< 2.4.41-4ubuntu3.6	UNKNOWN
ubuntu	21.04	noarch	apache2	< 2.4.46-4ubuntu1.3	UNKNOWN
ubuntu	21.10	noarch	apache2	< 2.4.48-3.1ubuntu2	UNKNOWN
ubuntu	22.04	noarch	apache2	< 2.4.48-3.1ubuntu2	UNKNOWN
ubuntu	16.04	noarch	apache2	< 2.4.18-2ubuntu3.17+esm3	UNKNOWN

References

httpd.apache.org/security/vulnerabilities_24.html

httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-40438

launchpad.net/bugs/cve/CVE-2021-40438

nvd.nist.gov/vuln/detail/CVE-2021-40438

security-tracker.debian.org/tracker/CVE-2021-40438

ubuntu.com/security/notices/USN-5090-1

ubuntu.com/security/notices/USN-5090-2

ubuntu.com/security/notices/USN-5090-2 (regression update esm)

ubuntu.com/security/notices/USN-5090-3 (regression update)

www.cve.org/CVERecord?id=CVE-2021-40438

prion 2

osv 13

nessus 58

checkpoint_advisories 1

rocky 3

redhat 9

githubexploit 8

openvas 34

f5 1

oraclelinux 2

cnvd 1

centos 1

ibm 12

cisa_kev 1

hackerone 1

veracode 1

cbl_mariner 2

nuclei 1

cve 2

almalinux 3

httpd 1

cvelist 2

rapid7blog 1

redhatcve 2

alpinelinux 1

debiancve 2

attackerkb 1

debian 2

ics 2

ubuntu 4

ubuntucve 1

photon 5

suse 2

trellix 2

altlinux 2

kaspersky 1

mageia 1

cisco 1

freebsd 1

cisa 1

slackware 1

rosalinux 2

amazon 2

fedora 2

gentoo 1

prion

Design/Logic Flaw

2021-09-16 15:15:00

Design/Logic Flaw

2022-02-18 18:15:00

osv

httpd:2.4 bug fix update

2021-11-10 09:00:43

BIT-apache-2021-40438

2024-03-06 10:55:02

CVE-2021-40438

2021-09-16 15:15:07

nessus

NewStart CGSL CORE 5.04 / MAIN 5.04 : httpd Vulnerability (NS-SA-2022-0016)

2022-05-09 00:00:00

RHEL 8 : httpd:2.4 (RHSA-2021:3837)

2021-10-13 00:00:00

Apache < 2.4.49 Multiple Vulnerabilities

2021-09-23 00:00:00

checkpoint_advisories

Apache HTTP Server Server-Side Request Forgery (CVE-2021-40438)

2021-10-18 00:00:00

rocky

2.4 bug fix update

2021-11-10 09:00:43

httpd:2.4 security update

2021-10-12 15:53:03

httpd:2.4 security update

2021-11-09 19:25:44

redhat

(RHSA-2021:3754) Important: httpd24-httpd security update

2021-10-11 07:49:30

(RHSA-2021:3856) Important: httpd security update

2021-10-14 08:00:40

(RHSA-2021:3745) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP9 security update

2021-10-07 13:31:42

githubexploit

Exploit for Server-Side Request Forgery in Apache Http Server

2024-05-19 11:04:58

Exploit for Server-Side Request Forgery in Apache Http Server

2023-12-12 11:56:23

Exploit for Server-Side Request Forgery in Apache Http Server

2022-04-03 15:24:24

openvas

CentOS: Security Advisory for httpd (CESA-2021:3856)

2021-11-18 00:00:00

Huawei EulerOS: Security Advisory for httpd (EulerOS-SA-2021-2931)

2022-01-02 00:00:00

SUSE: Security Advisory (SUSE-SU-2021:3299-1)

2021-10-07 00:00:00

K01552024 : Apache vulnerability CVE-2021-40438

2021-10-21 00:00:00

oraclelinux

httpd security update

2021-10-14 00:00:00

httpd:2.4 security update

2021-10-13 00:00:00

cnvd

Apache HTTP Server mod_proxy server-side request forgery vulnerability

2021-09-18 00:00:00

centos

httpd, mod_ldap, mod_proxy_html, mod_session, mod_ssl security update

2021-11-17 14:59:00

ibm

Security Bulletin: Apache HTTP Server as used in IBM QRadar SIEM is vulnerable to server-side request forgery (SSRF) (CVE-2021-40438)

2021-12-20 21:02:58

Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it.(CVE-2021-40438)

2022-01-17 18:05:57

Security Bulletin: IBM Aspera Orchestrator vulnerable to server-side request forgery due to Apache HTTP Server vulnerability (CVE-2021-40438)

2023-02-02 17:18:50

cisa_kev

Apache HTTP Server-Side Request Forgery (SSRF)

2021-12-01 00:00:00

hackerone

Acronis: CVE-2021-40438 on cp-eu2.acronis.com

2021-10-15 05:46:15

veracode

Cross-Site Request Forgery (CSRF)

2021-09-20 12:57:14

cbl_mariner

CVE-2021-40438 affecting package httpd 2.4.46-6

2021-10-15 04:46:31

CVE-2021-40438 affecting package httpd for versions less than 2.4.52-1

2022-04-09 06:51:57

nuclei

Apache <= 2.4.48 Mod_Proxy - Server-Side Request Forgery

2021-10-14 19:59:52

cve

CVE-2021-40438

2021-09-16 15:15:00

CVE-2021-20325

2022-02-18 18:15:00

almalinux

httpd:2.4 bug fix update

2021-11-10 09:00:43

Important: httpd:2.4 security update

2021-10-12 15:53:03

Important: httpd:2.4 security update

2021-11-09 19:25:44

httpd

Apache Httpd < 2.4.49 : mod_proxy SSRF

2021-09-16 00:00:00

cvelist

CVE-2021-40438 mod_proxy SSRF

2021-09-16 14:40:23

CVE-2021-20325

2022-02-18 17:50:47

rapid7blog

Active Exploitation of Apache HTTP Server CVE-2021-40438

2021-11-30 17:38:53

redhatcve

CVE-2021-40438

2021-09-16 20:45:58

CVE-2021-20325

2021-11-09 09:06:32

alpinelinux

CVE-2021-40438

2021-09-16 15:15:00

debiancve

CVE-2021-40438

2021-09-16 15:15:00

CVE-2021-20325

2022-02-18 18:15:00

attackerkb

CVE-2021-40438

2021-09-16 00:00:00

debian

[SECURITY] [DLA 2776-1] apache2 security update

2021-10-02 16:08:10

[SECURITY] [DSA 4982-1] apache2 security update

2021-10-08 20:56:04

ics

Siemens Apache HTTP Server (Update A)

2022-10-13 12:00:00

2022 Top Routinely Exploited Vulnerabilities

2023-08-03 12:00:00

ubuntu

Apache HTTP Server vulnerabilities

2021-09-27 00:00:00

Apache HTTP Server vulnerabilities

2021-09-27 00:00:00

Apache HTTP Server regression

2021-09-28 00:00:00

ubuntucve

CVE-2021-20325

2022-02-18 00:00:00

photon

Critical Photon OS Security Update - PHSA-2021-0309

2021-10-01 00:00:00

Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2021-1.0-0437

2021-10-01 00:00:00

Critical Photon OS Security Update - PHSA-2021-0437

2021-10-01 00:00:00

suse

Security update for apache2 (important)

2021-10-26 00:00:00

Security update for apache2 (important)

2021-11-02 00:00:00

trellix

The Bug Report – October Edition

2021-11-02 00:00:00

The Bug Report – October Edition

2021-11-02 00:00:00

altlinux

Security fix for the ALT Linux 10 package apache2 version 1:2.4.49-alt1

2021-10-04 00:00:00

Security fix for the ALT Linux 9 package apache2 version 1:2.4.49-alt1

2021-09-23 00:00:00

kaspersky

KLA12370 Multiple vulnerabilities in Apache HTTP Server

2021-09-16 00:00:00

mageia

Updated apache packages fix security vulnerability

2021-09-23 07:49:29

cisco

Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021

2021-11-24 16:00:00

freebsd

Apache httpd -- multiple vulnerabilities

2021-09-16 00:00:00

cisa

CISA Adds Five Known Exploited Vulnerabilities to Catalog

2021-12-01 00:00:00

slackware

[slackware-security] httpd

2021-09-17 04:22:20

rosalinux

Advisory ROSA-SA-2023-2158

2023-04-25 11:30:17

Advisory ROSA-SA-2023-2160

2023-04-25 12:02:31

amazon

Important: httpd24

2021-10-15 07:52:00

Important: httpd

2021-10-15 07:57:00

fedora

[SECURITY] Fedora 35 Update: httpd-2.4.49-1.fc35

2021-09-24 20:56:12

[SECURITY] Fedora 34 Update: httpd-2.4.49-1.fc34

2021-09-20 13:58:04

gentoo

Apache HTTPD: Multiple Vulnerabilities

2022-08-14 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

0.974 High

EPSS

Percentile

99.9%

JSON

Related for UB:CVE-2021-40438