CVE-2021-40438
Published: 16 September 2021
Summary
CVE-2021-40438 is a critical-severity SSRF (CWE-918) vulnerability in Redhat Enterprise Linux Server Aus. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A crafted request URI-path can cause mod_proxy in Apache HTTP Server to forward requests to an origin server chosen by the remote user. This vulnerability affects version 2.4.48 and earlier and is identified as CWE-918 server-side request forgery with a CVSS 3.1 score of 9.0.
An unauthenticated remote attacker can exploit the flaw over the network by supplying a malicious URI path. Successful exploitation allows the attacker to achieve high impact on confidentiality, integrity, and availability with scope change, effectively enabling arbitrary origin server requests through the affected proxy.
Advisories and patches referenced in Apache project lists and the Siemens SSA-685781 bulletin address remediation for this issue in Apache HTTP Server.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-27615
Vulnerability details
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
- CWE(s)
- KEV Date Added
- 01 December 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Rejects or sanitizes the crafted URI-path before mod_proxy processes it, directly blocking the SSRF vector.
Enforces explicit information-flow rules that limit which origin servers the proxy is allowed to forward requests to.
Boundary-protection mechanisms can restrict or inspect proxy traffic to prevent arbitrary origin-server forwarding.