Path Traversal and Remote Code Execution found in Apache HTTP Server 2.4.49 and 2.4.50 (CVE-2021-41773)

8 October 2021 [NO.TCSA : 20211008-1-1-P]

PUBLISHED:
8 October 2021

Path Traversal and Remote Code Execution found in Apache HTTP Server 2.4.49 and 2.4.50 (CVE-2021-41773)

A critical flaw was found in a change made to path normalization in Apache HTTP Server versions 2.4.49 & 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. Additionally, this flaw could leak the source of interpreted files like CGI scripts and perform Remote Code Executions. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 & 2.4.50 and not earlier versions.

Affected Versions

Following Apache versions are vulnerable.

  • Apache HTTP Server 2.4.49
  • Apache HTTP Server 2.4.50

Mitigation

All users should ensure that they update to the fixed version, 2.4.51 or later. Because Apache HTTP Server 2.4.49 was released on September 15, 2021, there is a chance some users have not yet updated to the vulnerable version. The fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient.

More Information

13 July 2023 [NO.TCSA : 20230713-1-1-P]

Fortinet Patches Critical Remote Code Execution Vulnerability in FortiOS/FortiProxy

READ MORE READ MORE
23 June 2023 [NO.TCSA : 20230623-1-1-P]

WSO2 Releases Patches for Vulnerabilities in API Manager, Identity Server, and Other Products

READ MORE READ MORE
12 June 2023 [NO.TCSA : 20230612-1-1-P]

Fortinet Releases Urgent Patches for Critical Pre-Authentication RCE Vulnerability in Fortigate SSL-VPN Devices

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN