A huge collection of 3400+ free website templates JAR theme com WP themes and more at the biggest community-driven free web design site
Home / security-advisories / Apache HTTP Server Path Traversal Zero-Day Vulnerability CVE-2021-41773

Apache HTTP Server Path Traversal Zero-Day Vulnerability CVE-2021-41773

Advisory No: TZCERT/SA/2021/10/06

Date of First Release: 06th October 2021

Source: Apache

Software Affected: Apache HTTP Server 2.4.49

Overview

The vulnerability exists in the Apache web servers running version 2.4.49. The exploitation of this vulnerability could allow an attacker to use a path traversal attack to map URLs to files outside the expected document root.

Description

This vulnerability is caused by a bug in how the Apache server converts between different URL path schemes ( a process called URI normalization) due to input validation errors when processing directory traversal sequences.

A remote attacker can send a specially crafted HTTP request to map URLs to files outside the expected document root. If files outside the document root are not protected by “require all denied”, these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.

Impact

Successful exploitation of this vulnerability may allow an attacker to use a path traversal attack to map URLs to files outside the expected document root.

Solution:

Apache has issued updates in a fixed version 2.4.50. Users and Administrators are encouraged to apply necessary updates.

References:

  1. https://www.tenable.com/blog/cve-2021-41773-path-traversal-zero-day-in-apache-http-server-exploited
  2. https://therecord.media/apache-fixes-actively-exploited-web-server-zero-day/

Check Also

Azure Cosmos DB Jupyter Notebook Feature vulnerability

Advisory No: TZCERT/SA/2021/08/31 Date of First Release: 31st August 2021 Source: Microsoft Software Affected:  Azure Cosmos DB  Overview: The …