// For flags

CVE-2021-40438

Apache HTTP Server-Side Request Forgery (SSRF)

Severity Score

9.0
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

8
*Multiple Sources

Exploited in Wild

Yes
*KEV

Decision

-
*SSVC
Descriptions

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

Un uri-path diseñado puede causar que mod_proxy reenvíe la petición a un servidor de origen elegido por el usuario remoto. Este problema afecta a Apache HTTP Server versiones 2.4.48 y anteriores

A Server-Side Request Forgery (SSRF) flaw was found in mod_proxy of httpd. This flaw allows a remote, unauthenticated attacker to make the httpd server forward requests to an arbitrary server. The attacker could get, modify, or delete resources on other services that may be behind a firewall and inaccessible otherwise. The impact of this flaw varies based on what services and resources are available on the httpd network.

This vulnerability allows remote attackers to initiate arbitrary server-side requests on affected installations of Hewlett Packard Enterprise OneView. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the REST service, which listens on TCP port 443 by default. The issue results from the use of a vulnerable Apache HTTP server. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root.

*Credits: The issue was discovered by the Apache HTTP security team while analysing CVE-2021-36160
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-09-02 CVE Reserved
  • 2021-09-16 CVE Published
  • 2021-10-18 First Exploit
  • 2021-12-01 Exploited in Wild
  • 2021-12-15 KEV Due Date
  • 2024-08-04 CVE Updated
  • 2024-09-19 EPSS Updated
CWE
  • CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (29)
URL Tag Source
https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf Third Party Advisory
https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a%40%3Cusers.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3Cbugs.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00%40%3Cusers.httpd.apache.org%3E Mailing List
https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html Mailing List
https://security.netapp.com/advisory/ntap-20211008-0004 Third Party Advisory
https://www.tenable.com/security/tns-2021-17 Third Party Advisory
URL Date SRC
https://github.com/sixpacksecurity/CVE-2021-40438 2021-10-24
https://github.com/xiaojiangxl/CVE-2021-40438 2021-10-18
https://github.com/Kashkovsky/CVE-2021-40438 2022-04-03
https://github.com/sergiovks/CVE-2021-40438-Apache-2.4.48-SSRF-exploit 2023-12-12
https://github.com/BabyTeam1024/CVE-2021-40438 2021-10-28
https://github.com/gassara-kys/CVE-2021-40438 2022-06-10
https://github.com/Cappricio-Securities/CVE-2021-40438 2024-06-21
https://github.com/pisut4152/Sigma-Rule-for-CVE-2021-40438-exploitation-attempt 2021-11-30
URL Date SRC
https://www.oracle.com/security-alerts/cpuapr2022.html 2024-07-24
https://www.oracle.com/security-alerts/cpujan2022.html 2024-07-24
URL Date SRC
https://httpd.apache.org/security/vulnerabilities_24.html 2024-07-24
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD 2024-07-24
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R 2024-07-24
https://security.gentoo.org/glsa/202208-20 2024-07-24
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ 2024-07-24
https://www.debian.org/security/2021/dsa-4982 2024-07-24
https://access.redhat.com/security/cve/CVE-2021-40438 2021-10-14
https://bugzilla.redhat.com/show_bug.cgi?id=2005117 2021-10-14
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
 Http Server
Search vendor "Apache" for product "Http Server"
 <= 2.4.48
Search vendor "Apache" for product "Http Server" and version " <= 2.4.48"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 34
Search vendor "Fedoraproject" for product "Fedora" and version "34"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 35
Search vendor "Fedoraproject" for product "Fedora" and version "35"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 11.0
Search vendor "Debian" for product "Debian Linux" and version "11.0"
-
Affected
Netapp
Search vendor "Netapp"
 Cloud Backup
Search vendor "Netapp" for product "Cloud Backup"
--
Affected
Netapp
Search vendor "Netapp"
 Clustered Data Ontap
Search vendor "Netapp" for product "Clustered Data Ontap"
--
Affected
Netapp
Search vendor "Netapp"
 Storagegrid
Search vendor "Netapp" for product "Storagegrid"
--
Affected
Broadcom
Search vendor "Broadcom"
 Brocade Fabric Operating System Firmware
Search vendor "Broadcom" for product "Brocade Fabric Operating System Firmware"
--
Affected
F5
Search vendor "F5"
 F5os
Search vendor "F5" for product "F5os"
 >= 1.1.0 <= 1.1.4
Search vendor "F5" for product "F5os" and version " >= 1.1.0 <= 1.1.4"
-
Affected
F5
Search vendor "F5"
 F5os
Search vendor "F5" for product "F5os"
 >= 1.2.0 <= 1.2.1
Search vendor "F5" for product "F5os" and version " >= 1.2.0 <= 1.2.1"
-
Affected
Oracle
Search vendor "Oracle"
 Enterprise Manager Ops Center
Search vendor "Oracle" for product "Enterprise Manager Ops Center"
 12.4.0.0
Search vendor "Oracle" for product "Enterprise Manager Ops Center" and version "12.4.0.0"
-
Affected
Oracle
Search vendor "Oracle"
 Http Server
Search vendor "Oracle" for product "Http Server"
 12.2.1.3.0
Search vendor "Oracle" for product "Http Server" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
 Http Server
Search vendor "Oracle" for product "Http Server"
 12.2.1.4.0
Search vendor "Oracle" for product "Http Server" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
 Instantis Enterprisetrack
Search vendor "Oracle" for product "Instantis Enterprisetrack"
 17.1
Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.1"
-
Affected
Oracle
Search vendor "Oracle"
 Instantis Enterprisetrack
Search vendor "Oracle" for product "Instantis Enterprisetrack"
 17.2
Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.2"
-
Affected
Oracle
Search vendor "Oracle"
 Instantis Enterprisetrack
Search vendor "Oracle" for product "Instantis Enterprisetrack"
 17.3
Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.3"
-
Affected
Oracle
Search vendor "Oracle"
 Secure Global Desktop
Search vendor "Oracle" for product "Secure Global Desktop"
 5.6
Search vendor "Oracle" for product "Secure Global Desktop" and version "5.6"
-
Affected
Oracle
Search vendor "Oracle"
 Zfs Storage Appliance Kit
Search vendor "Oracle" for product "Zfs Storage Appliance Kit"
 8.8
Search vendor "Oracle" for product "Zfs Storage Appliance Kit" and version "8.8"
-
Affected
Siemens
Search vendor "Siemens"
 Ruggedcom Nms
Search vendor "Siemens" for product "Ruggedcom Nms"
*-
Affected
Siemens
Search vendor "Siemens"
 Sinec Nms
Search vendor "Siemens" for product "Sinec Nms"
 < 1.0.3
Search vendor "Siemens" for product "Sinec Nms" and version " < 1.0.3"
-
Affected
Siemens
Search vendor "Siemens"
 Sinema Remote Connect Server
Search vendor "Siemens" for product "Sinema Remote Connect Server"
 < 3.1
Search vendor "Siemens" for product "Sinema Remote Connect Server" and version " < 3.1"
-
Affected
Siemens
Search vendor "Siemens"
 Sinema Remote Connect Server
Search vendor "Siemens" for product "Sinema Remote Connect Server"
 3.2
Search vendor "Siemens" for product "Sinema Remote Connect Server" and version "3.2"
-
Affected
Siemens
Search vendor "Siemens"
 Sinema Server
Search vendor "Siemens" for product "Sinema Server"
 14.0
Search vendor "Siemens" for product "Sinema Server" and version "14.0"
-
Affected
Tenable
Search vendor "Tenable"
 Tenable.sc
Search vendor "Tenable" for product "Tenable.sc"
 <= 5.19.1
Search vendor "Tenable" for product "Tenable.sc" and version " <= 5.19.1"
-
Affected