NULL pointer dereference in Apache Software Foundation Http Server
CVE-2021-44224
A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a decl…
EPSS: 0.823 (99.6th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Http Server — versions 2.4.7
Weakness classification (CWE)
Public proof-of-concept exploits
References
- httpd.apache.org/security/vulnerabilities_24.html (x_refsource_MISC)
- [oss-security] 20211220 CVE-2021-44224: Apache HTTP Server: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier (mailing-list, x_refsource_MLIST)
- FEDORA-2021-29a536c2ae (vendor-advisory, x_refsource_FEDORA)
- DSA-5035 (vendor-advisory, x_refsource_DEBIAN)
- www.oracle.com/security-alerts/cpujan2022.html (x_refsource_MISC)
- security.netapp.com/advisory/ntap-20211224-0001/ (x_refsource_CONFIRM)
- www.tenable.com/security/tns-2022-01 (x_refsource_CONFIRM)
- www.tenable.com/security/tns-2022-03 (x_refsource_CONFIRM)
- FEDORA-2022-b4103753e9 (vendor-advisory, x_refsource_FEDORA)
- FEDORA-2022-21264ec6db (vendor-advisory, x_refsource_FEDORA)
Frequently asked questions
- What is CVE-2021-44224?
- CVE-2021-44224 is a vulnerability in Apache Software Foundation Http Server, classified under NULL Pointer Dereference. Published 2021-12-20.
- Is CVE-2021-44224 known to be exploited?
- 15 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.