CVE-2021-40438
mod_proxy SSRF
In short
Apache HTTP Server's mod_proxy module can be tricked into forwarding requests to servers of an attacker's choice through a specially crafted request path. This allows attackers to access internal systems or services that should not be publicly reachable.
Technical detail
Server-Side Request Forgery (SSRF) vulnerability in mod_proxy allows an unauthenticated remote attacker to manipulate the uri-path parameter to redirect proxied requests to arbitrary origin servers. Pre-condition: mod_proxy must be enabled; impact includes unauthorized access to internal resources, information disclosure, and potential lateral movement within the network infrastructure.
Summary generated and translated by AI from the official description.
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
Apache Software Foundation · Apache HTTP Serverpublic PoCs found — 10
githubgithub.com/sixpacksecurity/CVE-2021-40438★ 12githubgithub.com/sergiovks/CVE-2021-40438-Apache-2.4.48-SSRF-exploit★ 9githubgithub.com/xiaojiangxl/CVE-2021-40438★ 4githubgithub.com/BabyTeam1024/CVE-2021-40438★ 2githubgithub.com/gassara-kys/CVE-2021-40438★ 1githubgithub.com/pisut4152/Sigma-Rule-for-CVE-2021-40438-exploitation-attempt★ 1githubgithub.com/Cappricio-Securities/CVE-2021-40438★ 1githubgithub.com/n0m-d/CVE-2021-40438-POC★ 0githubgithub.com/yakir2b/check-point-gateways-rce★ 0githubgithub.com/ericmann/apache-cve-poc★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdfhttps://httpd.apache.org/security/vulnerabilities_24.htmlhttps://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a%40%3Cusers.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3Cbugs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00%40%3Cusers.httpd.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2021/10/msg00001.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/