Critical Vulnerability in Apache HTTP Server

  • CERT Admin
  • Wed Oct 06 2021
  • Alerts

Overview 

A critical vulnerability was found in the Apache HTTP Server 2.4.49V (CVE-2021-41773). This vulnerability will allow an attacker to perform a path traversal attack on the targeted system. Successful exploitation of this vulnerability allows an attacker to access and gather sensitive files on the affected server. 

Description 

The vulnerability enables attackers to use path traversal attacks to map URLs to files outside the expected document root. If the files outside of the document root are not protected with correct permissions these requests can succeed. 

Impact 

● Expose sensitive information 

● Access to arbitrary files outside of the document root  

Solution/Workarounds 

Administrators are advised to patch the affected Apache HTTP servers to the latest version 2.4.50. 

https://httpd.apache.org/security/vulnerabilities_24.html 

Reference 

● https://portswigger.net/daily-swig/apache-http-server-devs-issue-fix-for-critical-data-leak-vulnerability-update-now 

● https://www.bleepingcomputer.com/news/security/apache-fixes-actively-exploited-zero-day-vulnerability-patch-now/ 

● https://www.csa.gov.sg/en/singcert/Alerts/al-2021-059 

Disclaimer 

The information provided herein is on an "as is" basis, without warranty of any kind.  

Last updated: Wed Oct 06 2021

Audience

Tags