CVE DATABASE / CVE-2021-40438
CVE-2021-40438
Apache HTTP Server-Side Request Forgery (SSRF)
CVSS 9 · CRITICAL
⚠ CISA KEV — ACTIVELY EXPLOITED
On the CISA KEV catalog
Confirmed exploited in the wild. Added 2021-12-01.
Federal remediation due 2021-12-15.
Required action: Apply updates per vendor instructions.
Summary
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
CVSS 3.1 breakdown
| Base score | 9 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Attack vector | NETWORK |
| Attack complexity | HIGH |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | CHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | HIGH |
Weakness type (CWE)
Affected products
Resf rocky linuxRedhat enterprise linuxRedhat enterprise linux eusRedhat enterprise linux for arm 64Redhat enterprise linux for arm 64 eusRedhat enterprise linux for ibm z systemsRedhat enterprise linux for ibm z systems eusRedhat enterprise linux for ibm z systems eus s390xRedhat enterprise linux for power big endianRedhat enterprise linux for power little endianRedhat enterprise linux for power little endian eusRedhat enterprise linux for scientific computingRedhat enterprise linux serverRedhat enterprise linux server ausRedhat enterprise linux server for power little endian update services for sap solutionsRedhat enterprise linux server tusRedhat enterprise linux server update services for sap solutionsRedhat enterprise linux update services for sap solutionsRedhat enterprise linux workstationRedhat jboss core services
Check this CVE live
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00%40%3Cusers.httpd.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20211008-0004/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ
Data: NIST NVD + CISA KEV. NVD last modified 2025-10-27. Always verify against the vendor advisory before acting.