CVE-2021-44224

Description

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).

How to fix CVE-2021-44224

To remediate CVE-2021-44224, upgrade the affected package to a fixed version below.

• —upgrade to 2.4.52-r0 or later
• —upgrade to 2.4.52 or later
• —upgrade to 2.4.52-1~deb11u2 or later
• —upgrade to 2.4.25-3+deb9u12 or later
• —upgrade to 2.4.38-3+deb10u7 or later

Is CVE-2021-44224 being exploited?

Moderate — EPSS is 9.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (5)

• from 0, < 2.4.52-r0
• >= 2.4.7, < 2.4.52
• from 0, < 2.4.52-1~deb11u2
• from 0, < 2.4.25-3+deb9u12
• from 0, < 2.4.38-3+deb10u7

CVSS scores

References (22)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2021-44224
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-44224
• WEBhttpd.apache.org/security/vulnerabilities_24.html
• WEBseclists.org/fulldisclosure/2022/May/33
• WEB