Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-vztc-xrcf-x7bk
Vulnerability ID VCID-vztc-xrcf-x7bk
Aliases CVE-2021-44224
Summary A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).
Status Published
Exploitability 0.5
Weighted Severity 6.4
Risk 3.2
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-476 NULL Pointer Dereference
CWE-918 Server-Side Request Forgery (SSRF)
System Score Found at
cvssv3 7.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44224.json
epss 0.0925 https://api.first.org/data/v1/epss?cve=CVE-2021-44224
epss 0.0925 https://api.first.org/data/v1/epss?cve=CVE-2021-44224
epss 0.0925 https://api.first.org/data/v1/epss?cve=CVE-2021-44224
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
apache_httpd moderate https://httpd.apache.org/security/json/CVE-2021-44224.json
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44224.json
https://api.first.org/data/v1/epss?cve=CVE-2021-44224
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44224
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44790
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2034672 https://bugzilla.redhat.com/show_bug.cgi?id=2034672
CVE-2021-44224 https://httpd.apache.org/security/json/CVE-2021-44224.json
GLSA-202208-20 https://security.gentoo.org/glsa/202208-20
RHSA-2022:1915 https://access.redhat.com/errata/RHSA-2022:1915
RHSA-2022:6753 https://access.redhat.com/errata/RHSA-2022:6753
RHSA-2022:7143 https://access.redhat.com/errata/RHSA-2022:7143
RHSA-2022:7144 https://access.redhat.com/errata/RHSA-2022:7144
USN-5212-1 https://usn.ubuntu.com/5212-1/
USN-5212-2 https://usn.ubuntu.com/5212-2/
No exploits are available.
Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44224.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.92876
EPSS Score 0.0925
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:53:50.872587+00:00 Apache HTTPD Importer Import https://httpd.apache.org/security/json/CVE-2021-44224.json 38.6.0