CVE-2021-40438

CVE Published 2021-09-16
Related CWE(s) CWE-918: Server-Side Request Forgery (SSRF)
Related Vendor(s) oracle, broadcom, netapp, debian, f5, tenable, fedoraproject, apache, siemens
Related Product(s) ruggedcom_nms, debian_linux, f5os, sinec_nms, fedora, http_server, instantis_enterprisetrack, storagegrid, zfs_storage_appliance_kit, tenable.sc, sinema_server, secure_global_desktop, sinema_remote_connect_server, enterprise_manager_ops_center, cloud_backup, clustered_data_ontap, brocade_fabric_operating_system_firmware
Exploitation Reported (CISA KEV) 2021-12-01
CVSS 3 Base Score 9.0 (CRITICAL)
CVSS 3 Attack Complexity HIGH
CVSS 3 Attack Vector NETWORK

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

Cyber Threat Graph Context

Explore how this CVE relates to the wider threat graph

Associated CAPEC Patterns

References