httpd: possible NULL dereference or SSRF in forward proxy configurations

🗓️ 26 Oct 2022 20:15:34Reported by RedHatType

redhat

redhat🔗 access.redhat.com👁 1 Views

Apache httpd mod_proxy forward proxy may dereference NULL and cause SSRF, risking crash.

Reporter	Title	Published	Views	Family All 186
IBM Security Bulletins	Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Network Manager IP Edition (CVE-2021-44790, CVE-2021-44224)	1 Apr 202210:32	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities have been identified in IBM HTTP Server shipped with IBM Rational ClearCase (CVE-2021-44790, CVE-2021-44224)	16 Mar 202208:32	–	ibm
IBM Security Bulletins	Security Bulletin: IBM HTTP Server (powered by Apache) for i is vulnerable to CVE-2021-44224	28 Feb 202223:45	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-44224)	17 Jan 202218:32	–	ibm
IBM Security Bulletins	WebSphere Application Server and IBM HTTP Server Security Bulletin List	13 Jul 202218:04	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security SiteProtector System is affected by multiple Apache HTTP Server Vulnerabilities	2 Jun 202202:42	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server	12 Jan 202219:17	–	ibm
IBM Security Bulletins	Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Netcool Configuration Manager (CVE-2021-44790, CVE-2021-44224)	1 Apr 202212:23	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities have been identified in WebSphere Application Server shipped with WebSphere Remote Server	4 Mar 202219:21	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Apache HTTP (CVE-2021-33193 and CVE-2021-44224) affects Power HMC	4 Dec 202200:13	–	ibm

OS	OS Version	Architecture	Package	Package Version	Filename
Red Hat Enterprise Linux	7	x86_64	jbcs-httpd24-httpd	0:2.4.51-28.el7jbcs	jbcs-httpd24-httpd-0:2.4.51-28.el7jbcs.x86_64.rpm
Red Hat Enterprise Linux	8	x86_64	jbcs-httpd24-httpd	0:2.4.51-28.el8jbcs	jbcs-httpd24-httpd-0:2.4.51-28.el8jbcs.x86_64.rpm
Red Hat Enterprise Linux	7	x86_64	jbcs-httpd24-httpd-debuginfo	0:2.4.51-28.el7jbcs	jbcs-httpd24-httpd-debuginfo-0:2.4.51-28.el7jbcs.x86_64.rpm
Red Hat Enterprise Linux	8	x86_64	jbcs-httpd24-httpd-debuginfo	0:2.4.51-28.el8jbcs	jbcs-httpd24-httpd-debuginfo-0:2.4.51-28.el8jbcs.x86_64.rpm
Red Hat Enterprise Linux	7	x86_64	jbcs-httpd24-httpd-devel	0:2.4.51-28.el7jbcs	jbcs-httpd24-httpd-devel-0:2.4.51-28.el7jbcs.x86_64.rpm
Red Hat Enterprise Linux	8	x86_64	jbcs-httpd24-httpd-devel	0:2.4.51-28.el8jbcs	jbcs-httpd24-httpd-devel-0:2.4.51-28.el8jbcs.x86_64.rpm
Red Hat Enterprise Linux	7	any	jbcs-httpd24-httpd-manual	0:2.4.51-28.el7jbcs.noarch	jbcs-httpd24-httpd-manual-0:2.4.51-28.el7jbcs.noarch.noarch.rpm
Red Hat Enterprise Linux	8	any	jbcs-httpd24-httpd-manual	0:2.4.51-28.el8jbcs.noarch	jbcs-httpd24-httpd-manual-0:2.4.51-28.el8jbcs.noarch.noarch.rpm
Red Hat Enterprise Linux	7	x86_64	jbcs-httpd24-httpd-selinux	0:2.4.51-28.el7jbcs	jbcs-httpd24-httpd-selinux-0:2.4.51-28.el7jbcs.x86_64.rpm
Red Hat Enterprise Linux	8	x86_64	jbcs-httpd24-httpd-selinux	0:2.4.51-28.el8jbcs	jbcs-httpd24-httpd-selinux-0:2.4.51-28.el8jbcs.x86_64.rpm

Source	Link
httpd	www.httpd.apache.org/security/vulnerabilities_24.html
access	www.access.redhat.com/security/cve/CVE-2021-44224
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
nvd	www.nvd.nist.gov/vuln/detail/CVE-2021-44224
cve	www.cve.org/CVERecord

14 May 2026 22:32Current

7High risk

Vulners AI Score7

CVSS 26.4

CVSS 3.18.2

EPSS0.0925

Apache httpd mod proxy forward proxy null dereference server side forgery data leakage