CVE-2021-40438

CRITICALImmediate

Published:Sep 16, 2021(4 years ago)

Modified:Oct 27, 2025

Remote ExploitNo Auth RequiredNo InteractionScope Changes

Vulnerability Description

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

Attack Characteristics

Network AccessHigh ComplexityNo Auth NeededNo User Interaction

🤖

AI analysis not yet available

Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.

No Fix Known

No patch has been released yet. Apply workarounds or mitigations where available.

Affected Software

Vendor	Product	Versions	Fixed In
resf	rocky_linux	-	-
redhat	enterprise_linux	-	-
redhat	enterprise_linux_eus	-

Timeline

Published
CVE disclosed publicly
Sep 16, 20214 years ago
Last Modified
Most recent update
Oct 27, 20256 months ago
Indexed to CVEInsight
Added to this platform
Mar 29, 20261 month ago

References

https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdfThird Party Advisory
https://httpd.apache.org/security/vulnerabilities_24.htmlRelease Notes
https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4d...Mailing List

CVSS Score

v3.1

9.0/ 10.0

CRITICAL

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

At a Glance

Affected Products

References

resf / rocky_linux

https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c5...Mailing List

https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d7530...Mailing List

https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c2...Mailing List

https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573...Mailing List

https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee...Mailing List

https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a7...Mailing List

https://lists.debian.org/debian-lts-announce/2021/10/msg00001.htmlMailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists...Release Notes

https://security.gentoo.org/glsa/202208-20Third Party Advisory

https://security.netapp.com/advisory/ntap-20211008-0004/Third Party Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/...Broken Link

https://www.debian.org/security/2021/dsa-4982Mailing List

https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch

https://www.oracle.com/security-alerts/cpujan2022.htmlPatch

https://www.tenable.com/security/tns-2021-17Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdfThird Party Advisory

https://httpd.apache.org/security/vulnerabilities_24.htmlRelease Notes

https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4d...Mailing List