CVE-2021-44224
Public on 2021-12-20
Modified on 2023-01-18
Description
There's a null pointer dereference and server-side request forgery flaw in httpd's mod_proxy module, when it is configured to be used as a forward proxy. A crafted packet could be sent on the adjacent network to the forward proxy that could cause a crash, or potentially SSRF via misdirected Unix Domain Socket requests. In the worst case, this could cause a denial of service or compromise to confidentiality of data.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | httpd | 2022-01-18 | ALAS2-2022-1737 | Fixed |
| Amazon Linux 2023 | httpd | 2023-02-17 | ALAS2023-2023-072 | Fixed |
| Amazon Linux 1 | httpd24 | 2022-01-18 | ALAS-2022-1560 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.1 | CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H |
| NVD | CVSSv2 | 6.4 | AV:N/AC:L/Au:N/C:N/I:P/A:P |
| NVD | CVSSv3 | 8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H |