Path Traversal and Remote Code Execution found in Apache HTTP Server 2.4.49 and 2.4.50 (CVE-2021-41773)

PUBLISHED:
8 October 2021

Path Traversal and Remote Code Execution found in Apache HTTP Server 2.4.49 and 2.4.50 (CVE-2021-41773)

A critical flaw was found in a change made to path normalization in Apache HTTP Server versions 2.4.49 & 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. Additionally, this flaw could leak the source of interpreted files like CGI scripts and perform Remote Code Executions. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 & 2.4.50 and not earlier versions.

Affected Versions

Following Apache versions are vulnerable.

• Apache HTTP Server 2.4.49
• Apache HTTP Server 2.4.50

Mitigation

All users should ensure that they update to the fixed version, 2.4.51 or later. Because Apache HTTP Server 2.4.49 was released on September 15, 2021, there is a chance some users have not yet updated to the vulnerable version. The fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient.

More Information

• Apache HTTP Server 2.4 vulnerabilities – https://httpd.apache.org/security/vulnerabilities_24.html