Apache MOD Proxy - Server Side Request Forgery (CVE-2021-40438)
- Severity
- CVSSv3 Score
- 9
- Vulnerability description
Apache server is affected by a Server Side Request Forgery (SSRF) vulnerability, located in the mod_proxy module. The root cause of this vulnerability consists in using a version of the Apache HTTP Server before 2.4.48 which does not sanitize user input in GET requests. Therefore, it can be used by an unauthenticated remote attacker to determine the Apache server initiate HTTPS requests to arbitrary locations.
- Risk description
The risk exists that a remote unauthenticated attacker can use the vulnerable server to bypass a firewall and interact with other servers that are available to the target but are not exposed to the internet.
- Recommendation
Upgrade the Apache HTTP server to a version greater or equal to 2.4.49.
- Codename
- Not available
- Detectable with
- Network Scanner
- Exploitable with Sniper
- No
- Vuln date
- Sep 2021
- Published at
- Updated at
- Software Type
- Web server
- Vendor
- Apache
- Product
- Server