CVE-2021-40438

Published: 16 September 2021

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
Upstream
Released (2.4.49-1)
Ubuntu 21.10 (Impish Indri)
Released (2.4.48-3.1ubuntu2)
Ubuntu 21.04 (Hirsute Hippo)
Released (2.4.46-4ubuntu1.3)
Ubuntu 20.04 LTS (Focal Fossa)
Released (2.4.41-4ubuntu3.6)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.4.29-1ubuntu4.18)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2.4.18-2ubuntu3.17+esm3)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code not present)
Patches:
Upstream: https://github.com/apache/httpd/commit/d4901cb32133bc0e59ad193a29d1665597080d67