Path Traversal and Remote Code Execution found in Apache HTTP Server 2.4.49 and 2.4.50 (CVE-2021-41773)

8 October 2021 [NO.TCSA : 20211008-1-1-P]

PUBLISHED:
8 October 2021

Path Traversal and Remote Code Execution found in Apache HTTP Server 2.4.49 and 2.4.50 (CVE-2021-41773)

A critical flaw was found in a change made to path normalization in Apache HTTP Server versions 2.4.49 & 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. Additionally, this flaw could leak the source of interpreted files like CGI scripts and perform Remote Code Executions. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 & 2.4.50 and not earlier versions.

Affected Versions

Following Apache versions are vulnerable.

  • Apache HTTP Server 2.4.49
  • Apache HTTP Server 2.4.50

Mitigation

All users should ensure that they update to the fixed version, 2.4.51 or later. Because Apache HTTP Server 2.4.49 was released on September 15, 2021, there is a chance some users have not yet updated to the vulnerable version. The fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient.

More Information

21 April 2022 [NO.TCSA : 20220422-1-1-P]

A Critical Unauthenticated Remote Code Execution (RCE) Flaw Found in WSO2 API Manager, Identity Server & Enterprise Integrator

READ MORE READ MORE
19 April 2022 [NO.TCSA : 20220419-1-1-P]

Possible Increase of Intrusion Attempts on Sri Lankan Websites

READ MORE READ MORE
1 April 2022 [NO.TCSA : 20220401-1-1-P]

Spring4Shell – A Critical Remote Execution Found Spring Framework

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN