Numerous vulnerabilities have been identified and fixed in Apache HTTP Server 2.4, including high-impact server-side request forgery (SSRF) and request smuggling bugs.
The Apache HTTP Server Project is a collaborative project to develop and maintain an open source software-based HTTP server for modern operating systems including UNIX and Windows. The technology is claimed to be the most popular web server on the internet.
A high-severity vulnerability with a CVSS score of 8.1, CVE-2021-40438, was discovered by the Apache HTTP security team. The security flaw allows a remote attacker to perform SSRF attacks, and stems from insufficient validation of user-supplied input within the mod proxy module.
Sending a specially crafted HTTP request with a chosen uri-path could trick the web server into initiating requests to arbitrary systems. This would allow the attacker to gain access to sensitive data in the local network or send malicious requests to other servers.
Meanwhile, CVE-2021-33193, rated as a moderate severity vulnerability, was reported by PortSwigger security researcher James Kettle on May 11.