CVE-2021-44224

Updated: 2025-08-20 00:21:56.128658

Description:

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x MEDIUM 6.4
CVSS Version 3.x HIGH 8.2

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement
AlmaLinux 9.2 ESU httpd 2.4.53 8.2 HIGH Not Vulnerable 2023-11-08 08:36:01 Vulnerable piece of code doesn’t exist in our version
CentOS 6 ELS httpd 2.2.15 8.2 HIGH Not Vulnerable 2022-04-19 21:49:49 Vulnerable piece of code doesn’t exist in our version
CentOS 7 ELS httpd 2.4.6 8.2 HIGH Not Vulnerable 2023-10-27 11:07:14 Vulnerable piece of code doesn’t exist in our version
CentOS 8.4 ELS httpd 2.4.37 8.2 HIGH Released CLSA-2022:1644869841 2022-04-19 21:49:49 Vulnerable piece of code doesn’t exist in our version
CentOS 8.5 ELS httpd 2.4.37 8.2 HIGH Released CLSA-2022:1644869383 2022-04-19 21:49:49 Vulnerable piece of code doesn’t exist in our version
CloudLinux 6 ELS httpd 2.2.15 8.2 HIGH Not Vulnerable 2022-04-19 21:49:49 Vulnerable piece of code doesn’t exist in our version
Debian 10 ELS apache2 2.4.59 8.2 HIGH Already Fixed 2025-10-21 18:58:47
Oracle Linux 6 ELS httpd 2.2.15 8.2 HIGH Not Vulnerable 2022-04-19 21:49:49 Vulnerable piece of code doesn’t exist in our version
Ubuntu 16.04 ELS apache2 2.4.18 8.2 HIGH Released CLSA-2021:1640697114 2022-04-19 21:49:45 Vulnerable piece of code doesn’t exist in our version
Ubuntu 18.04 ELS apache2 2.4.29 8.2 HIGH Already Fixed 2023-06-02 09:10:44 Vulnerable piece of code doesn’t exist in our version