CVEID:CVE-2021-40438
**DESCRIPTION:**Apache HTTP Server is vulnerable to server-side request forgery, caused by an error in mod_proxy. By sending a specially crafted request uri-path, a remote attacker could exploit this vulnerability to forward the request to an origin server chosen by the remote user.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209526 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
Build Forge	8.0 - 8.0.0.20

Remediation/Fixes

You must download the fix pack specified in the following table and apply it.

Affected Supporting Product(s)

Remediation/Fix

—|—

IBM Rational Build Forge 8.0 to 8.0.0.20

Download IBM Rational Build Forge 8.0.0.21.

The fix includes Apache-HTTP-Server-2.4.52

Workarounds and Mitigations

None

CPENameOperatorVersion
rational build forge familyeq8.0.0.21

CPE	Name	Operator	Version
	rational build forge family	eq	8.0.0.21

cisa_kev 1

osv 13

nessus 57

ibm 11

redhat 9

httpd 1

githubexploit 8

almalinux 3

veracode 1

hackerone 1

cbl_mariner 2

nuclei 1

nvd 2

ubuntucve 2

cve 2

cnvd 1

f5 1

oraclelinux 2

centos 1

openvas 34

checkpoint_advisories 1

rocky 3

prion 2

redhatcve 2

debiancve 2

rapid7blog 1

alpinelinux 1

cvelist 2

attackerkb 1

ubuntu 4

debian 2

ics 1

photon 5

suse 2

altlinux 2

trellix 2

freebsd 1

mageia 1

cisco 1

cisa 1

kaspersky 1

slackware 1

rosalinux 2

amazon 2

fedora 2

gentoo 1

cisa_kev

Apache HTTP Server-Side Request Forgery (SSRF)

2021-12-01 00:00:00

osv

BIT-apache-2021-40438

2024-03-06 10:55:02

httpd:2.4 bug fix update

2021-11-10 09:00:43

CVE-2021-40438

2021-09-16 15:15:07

nessus

RHEL 7 : httpd24-httpd (RHSA-2021:3754)

2021-10-12 00:00:00

Oracle Linux 7 : httpd (ELSA-2021-3856)

2021-10-15 00:00:00

RHEL 7 / 8 : Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP9 (RHSA-2021:3746)

2021-10-07 00:00:00

ibm

Security Bulletin: Apache HTTP Server as used in IBM QRadar SIEM is vulnerable to server-side request forgery (SSRF) (CVE-2021-40438)

2021-12-20 21:02:58

Security Bulletin: IBM Aspera Orchestrator vulnerable to server-side request forgery due to Apache HTTP Server vulnerability (CVE-2021-40438)

2023-02-02 17:18:50

Security Bulletin: IBM Aspera Faspex 4.4.1 and earlier has addressed an Apache vulnerabilitiy (CVE-2021-40438)

2022-09-07 23:29:54

redhat

(RHSA-2021:3746) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP9 security update

2021-10-07 13:31:45

(RHSA-2021:3836) Important: httpd:2.4 security update

2021-10-13 07:08:32

(RHSA-2021:3856) Important: httpd security update

2021-10-14 08:00:40

httpd

Apache Httpd < 2.4.49 : mod_proxy SSRF

2021-09-16 00:00:00

githubexploit

Exploit for Server-Side Request Forgery in Apache Http Server

2021-10-18 02:02:43

Exploit for Server-Side Request Forgery in Apache Http Server

2021-10-24 10:18:08

Exploit for Server-Side Request Forgery in Apache Http Server

2022-06-10 00:46:58

almalinux

httpd:2.4 bug fix update

2021-11-10 09:00:43

Important: httpd:2.4 security update

2021-10-12 15:53:03

Important: httpd:2.4 security update

2021-11-09 19:25:44

veracode

Cross-Site Request Forgery (CSRF)

2021-09-20 12:57:14

hackerone

Acronis: CVE-2021-40438 on cp-eu2.acronis.com

2021-10-15 05:46:15

cbl_mariner

CVE-2021-40438 affecting package httpd 2.4.46-6

2021-10-15 04:46:31

CVE-2021-40438 affecting package httpd for versions less than 2.4.52-1

2022-04-09 06:51:57

nuclei

Apache <= 2.4.48 Mod_Proxy - Server-Side Request Forgery

2021-10-14 19:59:52

nvd

CVE-2021-40438

2021-09-16 15:15:07

CVE-2021-20325

2022-02-18 18:15:09

ubuntucve

CVE-2021-40438

2021-09-16 00:00:00

CVE-2021-20325

2022-02-18 00:00:00

cve

CVE-2021-40438

2021-09-16 15:15:07

CVE-2021-20325

2022-02-18 18:15:09

cnvd

Apache HTTP Server mod_proxy server-side request forgery vulnerability

2021-09-18 00:00:00

K01552024 : Apache vulnerability CVE-2021-40438

2021-10-21 00:00:00

oraclelinux

httpd security update

2021-10-14 00:00:00

httpd:2.4 security update

2021-10-13 00:00:00

centos

httpd, mod_ldap, mod_proxy_html, mod_session, mod_ssl security update

2021-11-17 14:59:00

openvas

CentOS: Security Advisory for httpd (CESA-2021:3856)

2021-11-18 00:00:00

Debian: Security Advisory (DLA-2776-1)

2021-10-03 00:00:00

SUSE: Security Advisory (SUSE-SU-2021:3299-1)

2021-10-07 00:00:00

checkpoint_advisories

Apache HTTP Server Server-Side Request Forgery (CVE-2021-40438)

2021-10-18 00:00:00

rocky

2.4 bug fix update

2021-11-10 09:00:43

httpd:2.4 security update

2021-10-12 15:53:03

httpd:2.4 security update

2021-11-09 19:25:44

prion

Design/Logic Flaw

2021-09-16 15:15:00

Design/Logic Flaw

2022-02-18 18:15:00

redhatcve

CVE-2021-40438

2021-09-16 20:45:58

CVE-2021-20325

2021-11-09 09:06:32

debiancve

CVE-2021-40438

2021-09-16 15:15:07

CVE-2021-20325

2022-02-18 18:15:09

rapid7blog

Active Exploitation of Apache HTTP Server CVE-2021-40438

2021-11-30 17:38:53

alpinelinux

CVE-2021-40438

2021-09-16 15:15:07

cvelist

CVE-2021-40438 mod_proxy SSRF

2021-09-16 14:40:23

CVE-2021-20325

2022-02-18 17:50:47

attackerkb

CVE-2021-40438

2021-09-16 00:00:00

ubuntu

Apache HTTP Server vulnerabilities

2021-09-27 00:00:00

Apache HTTP Server regression

2021-09-28 00:00:00

Apache HTTP Server regression

2021-09-28 00:00:00

debian

[SECURITY] [DLA 2776-1] apache2 security update

2021-10-02 16:07:56

[SECURITY] [DSA 4982-1] apache2 security update

2021-10-08 20:56:04

ics

Siemens Apache HTTP Server (Update A)

2022-10-13 12:00:00

photon

Critical Photon OS Security Update - PHSA-2021-0309

2021-10-01 00:00:00

Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2021-1.0-0437

2021-10-01 00:00:00

Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2021-2.0-0399

2021-10-01 00:00:00

suse

Security update for apache2 (important)

2021-10-26 00:00:00

Security update for apache2 (important)

2021-11-02 00:00:00

altlinux

Security fix for the ALT Linux 10 package apache2 version 1:2.4.49-alt1

2021-10-04 00:00:00

Security fix for the ALT Linux 9 package apache2 version 1:2.4.49-alt1

2021-09-23 00:00:00

trellix

The Bug Report – October Edition

2021-11-02 00:00:00

The Bug Report – October Edition

2021-11-02 00:00:00

freebsd

Apache httpd -- multiple vulnerabilities

2021-09-16 00:00:00

mageia

Updated apache packages fix security vulnerability

2021-09-23 07:49:29

cisco

Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021

2021-11-24 16:00:00

cisa

CISA Adds Five Known Exploited Vulnerabilities to Catalog

2021-12-01 00:00:00

kaspersky

KLA12370 Multiple vulnerabilities in Apache HTTP Server

2021-09-16 00:00:00

slackware

[slackware-security] httpd

2021-09-17 04:22:20

rosalinux

Advisory ROSA-SA-2023-2158

2023-04-25 11:30:17

Advisory ROSA-SA-2023-2160

2023-04-25 12:02:31

amazon

Important: httpd24

2021-10-15 07:52:00

Important: httpd

2021-10-15 07:57:00

fedora

[SECURITY] Fedora 35 Update: httpd-2.4.49-1.fc35

2021-09-24 20:56:12

[SECURITY] Fedora 34 Update: httpd-2.4.49-1.fc34

2021-09-20 13:58:04

gentoo

Apache HTTPD: Multiple Vulnerabilities

2022-08-14 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

0.974 High

EPSS

Percentile

99.9%

JSON

Related for 3D8081DD4AB9AD49DD1BE909B833BDDD189277A296D1DC86F606AECC69D154F1