CVE-2021-40438

CVE Published	2021-09-16
Related CWE(s)	CWE-918: Server-Side Request Forgery (SSRF)
Related Vendor(s)	fedoraproject, oracle, apache, siemens, tenable, f5, broadcom, netapp, debian
Related Product(s)	secure_global_desktop, ruggedcom_nms, http_server, zfs_storage_appliance_kit, tenable.sc, sinema_remote_connect_server, clustered_data_ontap, storagegrid, sinec_nms, sinema_server, f5os, fedora, cloud_backup, brocade_fabric_operating_system_firmware, debian_linux, instantis_enterprisetrack, enterprise_manager_ops_center
Exploitation Reported (CISA KEV)	2021-12-01
CVSS 3 Base Score	9.0 (CRITICAL)
CVSS 3 Attack Complexity	HIGH
CVSS 3 Attack Vector	NETWORK

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

Cyber Threat Graph Context

Explore how this CVE relates to the wider threat graph

Associated CAPEC Patterns

Server Side Request Forgery (CAPEC-664)

An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.

References

CVE.org

View more information about CVE-2021-40438 on the official MITRE CVE website.

NIST National Vulnerability Database

CVE-2021-40438 on the NIST NVD.

CISA Known Exploited Vulnerabilities