A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HApache HTTP Server
APPApache≤ 2.4.48Broadcom Brocade Fabric Operating System Firmware
OSBroadcomwszystkie wersjeDebian
OSDebian10.011.09.0F5 F5os
OSF51.2.0 – 1.2.11.1.0 – 1.1.4Fedora Project Fedora
OSFedoraproject3435Netapp Cloud Backup
APPNetappwszystkie wersjeNetapp Clustered Data Ontap
APPNetappwszystkie wersjeNetapp Storagegrid
APPNetappwszystkie wersjeOracle Enterprise Manager Ops Center
APPOracle12.4.0.0Oracle HTTP Server
APPOracle12.2.1.3.012.2.1.4.0Oracle Instantis Enterprisetrack
APPOracle17.117.217.3Oracle Secure Global Desktop
APPOracle5.6Oracle Zfs Storage Appliance Kit
APPOracle8.8Red Hat Enterprise Linux
OSRedhat7.08.0Red Hat Enterprise Linux Eus
OSRedhat8.18.28.48.68.8Red Hat Enterprise Linux For Arm 64
OSRedhat8.0Red Hat Enterprise Linux For Arm 64 Eus
OSRedhat8.68.8Red Hat Enterprise Linux For IBM Z Systems
OSRedhat7.0_s390x8.0Red Hat Enterprise Linux For IBM Z Systems Eus
OSRedhat8.18.48.8Red Hat Enterprise Linux For IBM Z Systems Eus S390x
OSRedhat8.2Red Hat Enterprise Linux For Power Big Endian
OSRedhat7.0Red Hat Enterprise Linux For Power Little Endian
OSRedhat7.08.0Red Hat Enterprise Linux For Power Little Endian Eus
OSRedhat8.18.28.48.68.8Red Hat Enterprise Linux For Scientific Computing
OSRedhat7.0Red Hat Enterprise Linux Server
OSRedhat7.0Red Hat Enterprise Linux Server Aus
OSRedhat7.27.37.47.67.78.28.48.6Red Hat Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions
OSRedhat7.67.78.18.28.48.68.8Red Hat Enterprise Linux Server Tus
OSRedhat7.67.78.28.48.68.8Red Hat Enterprise Linux Server Update Services For Sap Solutions
OSRedhat7.67.7Red Hat Enterprise Linux Server Workstation
OSRedhat7.0
CISA KEV — detailsi
- Vendori
- Apache ↗
- Producti
- Apache
- Added to KEVi
- December 1, 2021
- Remediation deadline (US Federal)i
- December 15, 2021(overdue)
Required action (CISA)i
Apply updates per vendor instructions.
CISA descriptioni
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
⏰CISA DEADLINE: 15 grudnia 2021
References
Related vulnerabilities
CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt
Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)
CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki