Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PRP: Request Apache HTTP Server Mod_Proxy SSRF vulnerability (CVE-2021-40438) #167

Open
4 tasks done
timoles opened this issue Oct 15, 2021 · 1 comment
Open
4 tasks done

PRP: Request Apache HTTP Server Mod_Proxy SSRF vulnerability (CVE-2021-40438) #167

timoles opened this issue Oct 15, 2021 · 1 comment
Assignees
@timoles
Labels
Contributor queue When a contributor has already one issue/PR in review, we put the following ones on hold with this.

Comments

@timoles
Copy link
Contributor

timoles commented Oct 15, 2021

Hey Tsunami Team

I would like to contribute with a detector plugin for CVE-2021-40438 (SSRF in Apache HTTP Server Mod_Proxy <= 2.4.48)

  • The vulnerability was discovered recently and a patched version is already available. - Yes, (Patched for Apache > v2.4.48) (A blogpost describing the vulnerability)
  • The vulnerability should have a HIGH or CRITICAL severity rating if there is already a CVE ID assigned (CVSS score >= 7.0): CVSS Score: 9.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
  • The vulnerability should have a relatively large impact radius. - Yes, widely used HTTP server
  • The vulnerability should be remotely exploitable without authentication and user interaction. - Yes, unauthenticated attackers can exploit it.

Please note, I'm currently in the PR process of another detector, but that one should be near it's end (hopefully).

Please let me know if this is in scope and fine for me to develop.
@timoles
Copy link
Contributor Author

timoles commented Nov 22, 2021

Hey Tsunami Team

with #86 being wrapped up, would it possible to start the plugin process on this one?

Greetings

@tooryx tooryx added Contributor queue When a contributor has already one issue/PR in review, we put the following ones on hold with this. and removed PRP:Request labels Feb 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timoles timoles

Labels
Contributor queue When a contributor has already one issue/PR in review, we put the following ones on hold with this.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tooryx @timoles @magl0