CVE-2021-44224
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
20/12/2021
Last modified:
07/11/2023
Description
A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).
Impact
Base Score 3.x
8.20
Severity 3.x
HIGH
Base Score 2.0
6.40
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* | 2.4.7 (including) | 2.4.52 (excluding) |
| cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:* | 5.14.0 (including) | 5.20.0 (excluding) |
| cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:* | 5.16.0 (including) | 202201.1 (excluding) |
| cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:* | 9.0 (excluding) | |
| cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:* | 9.0 (excluding) | |
| cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:* | 9.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://httpd.apache.org/security/vulnerabilities_24.html
- http://seclists.org/fulldisclosure/2022/May/33
- http://seclists.org/fulldisclosure/2022/May/35
- http://seclists.org/fulldisclosure/2022/May/38
- http://www.openwall.com/lists/oss-security/2021/12/20/3
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFSWOH4X77CV7AH7C4RMHUBDWKQDL4YH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20211224-0001/
- https://support.apple.com/kb/HT213255
- https://support.apple.com/kb/HT213256
- https://support.apple.com/kb/HT213257
- https://www.debian.org/security/2022/dsa-5035
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.tenable.com/security/tns-2022-01
- https://www.tenable.com/security/tns-2022-03