Path Traversal and Remote Code Execution found in Apache HTTP Server 2.4.49 and 2.4.50 (CVE-2021-41773)

8 October 2021 [NO.TCSA : 20211008-1-1-P]

PUBLISHED:
8 October 2021

Path Traversal and Remote Code Execution found in Apache HTTP Server 2.4.49 and 2.4.50 (CVE-2021-41773)

A critical flaw was found in a change made to path normalization in Apache HTTP Server versions 2.4.49 & 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. Additionally, this flaw could leak the source of interpreted files like CGI scripts and perform Remote Code Executions. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 & 2.4.50 and not earlier versions.

Affected Versions

Following Apache versions are vulnerable.

  • Apache HTTP Server 2.4.49
  • Apache HTTP Server 2.4.50

Mitigation

All users should ensure that they update to the fixed version, 2.4.51 or later. Because Apache HTTP Server 2.4.49 was released on September 15, 2021, there is a chance some users have not yet updated to the vulnerable version. The fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient.

More Information

16 April 2024 [NO.TCSA : 20240416-1-1-P]

Critical Command Injection Vulnerability Found in Palo Alto Networks GlobalProtect

READ MORE READ MORE
9 February 2024 [NO.TCSA : 20240209-1-1-P]

Critical Remote Code Execution Vulnerability Found in FortiOS SSL VPN

READ MORE READ MORE
13 July 2023 [NO.TCSA : 20230713-1-1-P]

Fortinet Patches Critical Remote Code Execution Vulnerability in FortiOS/FortiProxy

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN