What is CVE-2021-40438?

CVE-2021-40438 is a vulnerability in Apache Software Foundation Http Server, classified under Server-Side Request Forgery (SSRF). Published 2021-09-16.

Is CVE-2021-40438 known to be exploited?

Yes. CVE-2021-40438 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-12-01), indicating it is being actively exploited. 73 public proof-of-concept repositories are indexed.

SSRF in Apache Software Foundation Http Server

CVE-2021-40438

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.944 (100.0th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Http Server — versions Apache HTTP Server 2.4

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2021-12-01. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2021-12-15.

Required action: Apply updates per vendor instructions.

Public proof-of-concept exploits

References

httpd.apache.org/security/vulnerabilities_24.html (x_refsource_MISC)
FEDORA-2021-dce7e7738e (vendor-advisory, x_refsource_FEDORA)
[httpd-users] 20210923 [users@httpd] 2.4.49 security fixes: more info (mailing-list, x_refsource_MLIST)
[httpd-users] 20210923 Re: [users@httpd] 2.4.49 security fixes: more info (mailing-list, x_refsource_MLIST)
[httpd-users] 20210923 [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info (mailing-list, x_refsource_MLIST)
[httpd-users] 20210923 Re: [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info (mailing-list, x_refsource_MLIST)
FEDORA-2021-e3f6dd670d (vendor-advisory, x_refsource_FEDORA)
[debian-lts-announce] 20211002 [SECURITY] [DLA 2776-1] apache2 security update (mailing-list, x_refsource_MLIST)
[httpd-bugs] 20211008 [Bug 65616] CVE-2021-36160 regression (mailing-list, x_refsource_MLIST)
DSA-4982 (vendor-advisory, x_refsource_DEBIAN)

Frequently asked questions

What is CVE-2021-40438?: CVE-2021-40438 is a vulnerability in Apache Software Foundation Http Server, classified under Server-Side Request Forgery (SSRF). Published 2021-09-16.
Is CVE-2021-40438 known to be exploited?: Yes. CVE-2021-40438 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-12-01), indicating it is being actively exploited. 73 public proof-of-concept repositories are indexed.