CVE-2021-44224

Updated: 2023-11-07 20:22:24.206669

Description:

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x MEDIUM 6.4
CVSS Version 3.x HIGH 8.2

Status

OS name Project name Version Score Severity Status Errata Last updated
AlmaLinux 9.2 ESU httpd 2.4.53 8.2 HIGH Not Vulnerable 2023-11-08 08:36:01
CentOS 6 ELS httpd 2.2.15 8.2 HIGH Not Vulnerable 2022-04-19 21:49:49
CentOS 7 ELS httpd 2.4.6 8.2 HIGH Not Vulnerable 2023-10-27 11:07:14
CentOS 8.4 ELS httpd 2.4.37 8.2 HIGH Released CLSA-2022:1644869841 2022-04-19 21:49:49
CentOS 8.5 ELS httpd 2.4.37 8.2 HIGH Released CLSA-2022:1644869383 2022-04-19 21:49:49
CloudLinux 6 ELS httpd 2.2.15 8.2 HIGH Not Vulnerable 2022-04-19 21:49:49
Oracle Linux 6 ELS httpd 2.2.15 8.2 HIGH Not Vulnerable 2022-04-19 21:49:49
Ubuntu 16.04 ELS apache2 2.4.18 8.2 HIGH Released CLSA-2021:1640697114 2022-04-19 21:49:45
Ubuntu 18.04 ELS apache2 2.4.29 8.2 HIGH Already Fixed 2023-06-02 09:10:44

Statement

Vulnerable piece of code doesn’t exist in our version