Apache HTTP Server Path Traversal Zero-Day Vulnerability CVE-2021-41773

Advisory No: TZCERT/SA/2021/10/06

Date of First Release: 06^th October 2021

Source: Apache

Software Affected: Apache HTTP Server 2.4.49

Overview

The vulnerability exists in the Apache web servers running version 2.4.49. The exploitation of this vulnerability could allow an attacker to use a path traversal attack to map URLs to files outside the expected document root.

Description

This vulnerability is caused by a bug in how the Apache server converts between different URL path schemes ( a process called URI normalization) due to input validation errors when processing directory traversal sequences.

A remote attacker can send a specially crafted HTTP request to map URLs to files outside the expected document root. If files outside the document root are not protected by “require all denied”, these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.

Impact

Successful exploitation of this vulnerability may allow an attacker to use a path traversal attack to map URLs to files outside the expected document root.

Solution:

Apache has issued updates in a fixed version 2.4.50. Users and Administrators are encouraged to apply necessary updates.

References:

1. https://www.tenable.com/blog/cve-2021-41773-path-traversal-zero-day-in-apache-http-server-exploited
2. https://therecord.media/apache-fixes-actively-exploited-web-server-zero-day/