8 October 2021 [NO.TCSA : 20211008-1-1-P]
A critical flaw was found in a change made to path normalization in Apache HTTP Server versions 2.4.49 & 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. Additionally, this flaw could leak the source of interpreted files like CGI scripts and perform Remote Code Executions. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 & 2.4.50 and not earlier versions.
Following Apache versions are vulnerable.
All users should ensure that they update to the fixed version, 2.4.51 or later. Because Apache HTTP Server 2.4.49 was released on September 15, 2021, there is a chance some users have not yet updated to the vulnerable version. The fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient.