CVE-2021-40438 (CNNVD-202109-1094)
CRITICAL
中文标题:
Apache HTTP Server 代码问题漏洞
英文标题:
mod_proxy SSRF
CVSS分数:
9.0
发布时间:
2021-09-16 14:40:23
漏洞类型:
代码问题
状态:
PUBLISHED
数据质量分数:
0.30
数据版本:
v3
漏洞描述
中文描述:
Apache HTTP Server是美国阿帕奇(Apache)基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点。 Apache HTTP Server存在代码问题漏洞,该漏洞是由于系统对用户的输入没有进行严格的过滤导致,攻击者可以构造恶意数据对目标服务器进行SSRF攻击。该漏洞可做为攻击目标服务器内网的跳板,以此对服务器所在内网进行端口扫描、攻击运行在内网的应用程序、下载内网资源等。
英文描述:
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
CWE类型:
CWE-918
标签:
(暂无数据)
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| Apache Software Foundation | Apache HTTP Server | - | ≤ 2.4.48 | - |
cpe:2.3:a:apache_software_foundation:apache_http_server:*:*:*:*:*:*:*:*
|
| resf | rocky_linux | 8.0 | - | - |
cpe:2.3:o:resf:rocky_linux:8.0:*:*:*:*:*:*:*
|
| redhat | jboss_core_services | 1.0 | - | - |
cpe:2.3:a:redhat:jboss_core_services:1.0:*:*:*:*:*:*:*
|
| redhat | software_collections | 1.0 | - | - |
cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
|
| redhat | enterprise_linux | 8.0 | - | - |
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_eus | 8.1 | - | - |
cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_eus | 8.2 | - | - |
cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_eus | 8.4 | - | - |
cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_eus | 8.6 | - | - |
cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_eus | 8.8 | - | - |
cpe:2.3:o:redhat:enterprise_linux_eus:8.8:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_for_arm_64 | 8.0 | - | - |
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:8.0:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_for_arm_64_eus | 8.6 | - | - |
cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:8.6:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_for_arm_64_eus | 8.8 | - | - |
cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:8.8:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_for_ibm_z_systems | 7.0_s390x | - | - |
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0_s390x:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_for_ibm_z_systems | 8.0 | - | - |
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_for_ibm_z_systems_eus | 8.1 | - | - |
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.1:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_for_ibm_z_systems_eus | 8.4 | - | - |
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.4:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_for_ibm_z_systems_eus | 8.8 | - | - |
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.8:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_for_ibm_z_systems_eus_s390x | 8.2 | - | - |
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus_s390x:8.2:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_for_power_big_endian | 7.0 | - | - |
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_for_power_little_endian | 7.0 | - | - |
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_for_power_little_endian | 8.0 | - | - |
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_for_power_little_endian_eus | 8.1 | - | - |
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.1:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_for_power_little_endian_eus | 8.2 | - | - |
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.2:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_for_power_little_endian_eus | 8.4 | - | - |
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.4:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_for_power_little_endian_eus | 8.6 | - | - |
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.6:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_for_power_little_endian_eus | 8.8 | - | - |
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.8:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_for_scientific_computing | 7.0 | - | - |
cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server | 7.0 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_aus | 7.2 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_aus | 7.3 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_aus | 7.4 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_aus | 7.6 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_aus | 7.7 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_aus | 8.2 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_aus | 8.4 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_aus | 8.6 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions | 7.6 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.6:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions | 7.7 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.7:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions | 8.1 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.1:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions | 8.2 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.2:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions | 8.4 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.4:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions | 8.6 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.6:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions | 8.8 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.8:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_tus | 7.6 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_tus | 7.7 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_tus | 8.2 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_tus | 8.4 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_tus | 8.6 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_tus | 8.8 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.8:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_update_services_for_sap_solutions | 7.6 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.6:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_server_update_services_for_sap_solutions | 7.7 | - | - |
cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.7:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_update_services_for_sap_solutions | 8.1 | - | - |
cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:8.1:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_update_services_for_sap_solutions | 8.2 | - | - |
cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:8.2:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_update_services_for_sap_solutions | 8.4 | - | - |
cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:8.4:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_update_services_for_sap_solutions | 8.6 | - | - |
cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:8.6:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_update_services_for_sap_solutions | 8.8 | - | - |
cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:8.8:*:*:*:*:*:*:*
|
| redhat | enterprise_linux_workstation | 7.0 | - | - |
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
|
| apache | http_server | * | - | - |
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
|
| fedoraproject | fedora | 34 | - | - |
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
|
| fedoraproject | fedora | 35 | - | - |
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
|
| debian | debian_linux | 9.0 | - | - |
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
|
| debian | debian_linux | 10.0 | - | - |
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
|
| debian | debian_linux | 11.0 | - | - |
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
|
| netapp | cloud_backup | - | - | - |
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
|
| netapp | clustered_data_ontap | - | - | - |
cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
|
| netapp | storagegrid | - | - | - |
cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*
|
| broadcom | brocade_fabric_operating_system_firmware | - | - | - |
cpe:2.3:o:broadcom:brocade_fabric_operating_system_firmware:-:*:*:*:*:*:*:*
|
| f5 | f5os | * | - | - |
cpe:2.3:o:f5:f5os:*:*:*:*:*:*:*:*
|
| oracle | enterprise_manager_ops_center | 12.4.0.0 | - | - |
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
|
| oracle | http_server | 12.2.1.3.0 | - | - |
cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*
|
| oracle | http_server | 12.2.1.4.0 | - | - |
cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*
|
| oracle | instantis_enterprisetrack | 17.1 | - | - |
cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
|
| oracle | instantis_enterprisetrack | 17.2 | - | - |
cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
|
| oracle | instantis_enterprisetrack | 17.3 | - | - |
cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
|
| oracle | secure_global_desktop | 5.6 | - | - |
cpe:2.3:a:oracle:secure_global_desktop:5.6:*:*:*:*:*:*:*
|
| oracle | zfs_storage_appliance_kit | 8.8 | - | - |
cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
|
| siemens | ruggedcom_nms | * | - | - |
cpe:2.3:a:siemens:ruggedcom_nms:*:*:*:*:*:*:*:*
|
| siemens | sinec_nms | * | - | - |
cpe:2.3:a:siemens:sinec_nms:*:*:*:*:*:*:*:*
|
| siemens | sinema_remote_connect_server | * | - | - |
cpe:2.3:a:siemens:sinema_remote_connect_server:*:*:*:*:*:*:*:*
|
| siemens | sinema_remote_connect_server | 3.2 | - | - |
cpe:2.3:a:siemens:sinema_remote_connect_server:3.2:*:*:*:*:*:*:*
|
| siemens | sinema_server | 14.0 | - | - |
cpe:2.3:a:siemens:sinema_server:14.0:-:*:*:*:*:*:*
|
| tenable | tenable.sc | * | - | - |
cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
无标题
x_refsource_MISC
cve.org
访问
cve.org
FEDORA-2021-dce7e7738e
vendor-advisory
cve.org
访问
cve.org
[httpd-users] 20210923 [users@httpd] 2.4.49 security fixes: more info
mailing-list
cve.org
访问
cve.org
[httpd-users] 20210923 Re: [users@httpd] 2.4.49 security fixes: more info
mailing-list
cve.org
访问
cve.org
[httpd-users] 20210923 [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info
mailing-list
cve.org
访问
cve.org
[httpd-users] 20210923 Re: [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info
mailing-list
cve.org
访问
cve.org
FEDORA-2021-e3f6dd670d
vendor-advisory
cve.org
访问
cve.org
[debian-lts-announce] 20211002 [SECURITY] [DLA 2776-1] apache2 security update
mailing-list
cve.org
访问
cve.org
[httpd-bugs] 20211008 [Bug 65616] CVE-2021-36160 regression
mailing-list
cve.org
访问
cve.org
DSA-4982
vendor-advisory
cve.org
访问
cve.org
[httpd-users] 20211019 [users@httpd] Regarding CVE-2021-40438
mailing-list
cve.org
访问
cve.org
[httpd-users] 20211019 Re: [users@httpd] Regarding CVE-2021-40438
mailing-list
cve.org
访问
cve.org
20211124 Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021
vendor-advisory
cve.org
访问
cve.org
无标题
x_refsource_MISC
cve.org
访问
cve.org
无标题
x_refsource_CONFIRM
cve.org
访问
cve.org
无标题
x_refsource_CONFIRM
cve.org
访问
cve.org
无标题
x_refsource_MISC
cve.org
访问
cve.org
无标题
x_refsource_CONFIRM
cve.org
访问
cve.org
GLSA-202208-20
vendor-advisory
cve.org
访问
cve.org
134c704f-9b21-4f2e-91b3-4a467353bcc0
OTHER
nvd.nist.gov
访问
nvd.nist.gov
CVSS评分详情
3.1 (adp)
CRITICAL
9.0
CVSS向量:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
机密性
HIGH
完整性
HIGH
可用性
HIGH
时间信息
发布时间:
2021-09-16 14:40:23
修改时间:
2025-10-21 23:25:32
创建时间:
2025-11-11 15:37:02
更新时间:
2025-11-11 15:56:54
利用信息
暂无可利用代码信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2021-40438 |
2025-11-11 15:21:05 | 2025-11-11 07:37:02 |
| NVD | nvd_CVE-2021-40438 |
2025-11-11 14:57:42 | 2025-11-11 07:45:20 |
| CNNVD | cnnvd_CNNVD-202109-1094 |
2025-11-11 15:10:43 | 2025-11-11 07:56:54 |
版本与语言
当前版本:
v3
主要语言:
EN
支持语言:
EN
ZH
安全公告
暂无安全公告信息
变更历史
v3
CNNVD
2025-11-11 15:56:54
vulnerability_type: 未提取 → 代码问题; cnnvd_id: 未提取 → CNNVD-202109-1094; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
- vulnerability_type: 未提取 -> 代码问题
- cnnvd_id: 未提取 -> CNNVD-202109-1094
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2
NVD
2025-11-11 15:45:20
affected_products_count: 1 → 83; references_count: 19 → 20; data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
- affected_products_count: 1 -> 83
- references_count: 19 -> 20
- data_sources: ['cve'] -> ['cve', 'nvd']