CVE-2021-40438

Known Exploited (CISA KEV)CRITICAL

9.0

CVSS Severity Score

EPSS Score67.9780%

EPSS Percentile87.84th

Published2021年9月16日

Last Modified2025年10月27日

Vulnerability Description

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

Affected Platforms (CPE)

💻

Resf

Rocky Linux

= 8.0

💻

Redhat

Enterprise Linux

= 8.0

💻

Redhat

Enterprise Linux Eus

= 8.1

💻

Redhat

Enterprise Linux Eus

= 8.2

💻

Redhat

Enterprise Linux Eus

= 8.4

💻

Redhat

Enterprise Linux Eus

= 8.6

💻

Redhat

Enterprise Linux Eus

= 8.8

💻

Redhat

Enterprise Linux For Arm 64

= 8.0

💻

Redhat

Enterprise Linux For Arm 64 Eus

= 8.6

💻

Redhat

Enterprise Linux For Arm 64 Eus

= 8.8

💻

Redhat

Enterprise Linux For Ibm Z Systems

= 7.0_s390x

💻

Redhat

Enterprise Linux For Ibm Z Systems

= 8.0

💻

Redhat

Enterprise Linux For Ibm Z Systems Eus

= 8.1

💻

Redhat

Enterprise Linux For Ibm Z Systems Eus

= 8.4

💻

Redhat

Enterprise Linux For Ibm Z Systems Eus

= 8.8

💻

Redhat

Enterprise Linux For Ibm Z Systems Eus S390x

= 8.2

💻

Redhat

Enterprise Linux For Power Big Endian

= 7.0

💻

Redhat

Enterprise Linux For Power Little Endian

= 7.0

💻

Redhat

Enterprise Linux For Power Little Endian

= 8.0

💻

Redhat

Enterprise Linux For Power Little Endian Eus

= 8.1

💻

Redhat

Enterprise Linux For Power Little Endian Eus

= 8.2

💻

Redhat

Enterprise Linux For Power Little Endian Eus

= 8.4

💻

Redhat

Enterprise Linux For Power Little Endian Eus

= 8.6

💻

Redhat

Enterprise Linux For Power Little Endian Eus

= 8.8

💻

Redhat

Enterprise Linux For Scientific Computing

= 7.0

💻

Redhat

Enterprise Linux Server

= 7.0

💻

Redhat

Enterprise Linux Server Aus

= 7.2

💻

Redhat

Enterprise Linux Server Aus

= 7.3

💻

Redhat

Enterprise Linux Server Aus

= 7.4

💻

Redhat

Enterprise Linux Server Aus

= 7.6

💻

Redhat

Enterprise Linux Server Aus

= 7.7

💻

Redhat

Enterprise Linux Server Aus

= 8.2

💻

Redhat

Enterprise Linux Server Aus

= 8.4

💻

Redhat

Enterprise Linux Server Aus

= 8.6

💻

Redhat

Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions

= 7.6

💻

Redhat

Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions

= 7.7

💻

Redhat

Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions

= 8.1

💻

Redhat

Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions

= 8.2

💻

Redhat

Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions

= 8.4

💻

Redhat

Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions

= 8.6

💻

Redhat

Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions

= 8.8

💻

Redhat

Enterprise Linux Server Tus

= 7.6

💻

Redhat

Enterprise Linux Server Tus

= 7.7

💻

Redhat

Enterprise Linux Server Tus

= 8.2

💻

Redhat

Enterprise Linux Server Tus

= 8.4

💻

Redhat

Enterprise Linux Server Tus

= 8.6

💻

Redhat

Enterprise Linux Server Tus

= 8.8

💻

Redhat

Enterprise Linux Server Update Services For Sap Solutions

= 7.6

💻

Redhat

Enterprise Linux Server Update Services For Sap Solutions

= 7.7

💻

Redhat

Enterprise Linux Update Services For Sap Solutions

= 8.1

💻

Redhat

Enterprise Linux Update Services For Sap Solutions

= 8.2

💻

Redhat

Enterprise Linux Update Services For Sap Solutions

= 8.4

💻

Redhat

Enterprise Linux Update Services For Sap Solutions

= 8.6

💻

Redhat

Enterprise Linux Update Services For Sap Solutions

= 8.8

💻

Redhat

Enterprise Linux Workstation

= 7.0

📦

Redhat

Jboss Core Services

= 1.0

📦

Redhat

Software Collections

= 1.0

📦

Apache

Http Server

<= 2.4.48

💻

Fedoraproject

Fedora

= 34

💻

Fedoraproject

Fedora

= 35

💻

Debian

Debian Linux

= 9.0

💻

Debian

Debian Linux

= 10.0

💻

Debian

Debian Linux

= 11.0

📦

Netapp

Cloud Backup

All versions

📦

Netapp

Clustered Data Ontap

All versions

📦

Netapp

Storagegrid

All versions

💻

Broadcom

Brocade Fabric Operating System Firmware

All versions

💻

F5os

>= 1.1.0 and <= 1.1.4

💻

F5os

>= 1.2.0 and <= 1.2.1

📦

Oracle

Enterprise Manager Ops Center

= 12.4.0.0

📦

Oracle

Http Server

= 12.2.1.3.0

📦

Oracle

Http Server

= 12.2.1.4.0

📦

Oracle

Instantis Enterprisetrack

= 17.1

📦

Oracle

Instantis Enterprisetrack

= 17.2

📦

Oracle

Instantis Enterprisetrack

= 17.3

📦

Oracle

Secure Global Desktop

= 5.6

📦

Oracle

Zfs Storage Appliance Kit

= 8.8

📦

Siemens

Ruggedcom Nms

All versions

📦

Siemens

Sinec Nms

< 1.0.3

📦

Siemens

Sinema Remote Connect Server

< 3.1

📦

Siemens

Sinema Remote Connect Server

= 3.2

📦

Siemens

Sinema Server

= 14.0

📦

Tenable

Tenable.sc

<= 5.19.1

References & Advisories

🔗 https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf

🔗 https://httpd.apache.org/security/vulnerabilities_24.html

🔗 https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a%40%3Cusers.httpd.apache.org%3E

🔗 https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3Cbugs.httpd.apache.org%3E

🔗 https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E

🔗 https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E

🔗 https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E

🔗 https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E