Skip to the content.

DIVD-2021-00027 - Apache HTTP 2.4.49 Path Traversal and File Disclosure

Our reference DIVD-2021-00027
Case lead Ralph Horn
Author Diego Klinkhamer
Researcher(s)
CVE(s)
Product Apache HTTP Server
Versions 2.4.49/2.4.50
Recommendation Upgrade to 2.4.51
Patch status Full patched
Status Open

Summary

Apache HTTP Server project version 2.4.49 has a vulnerability in their path normalization which allows an attacker to map URLs to files outside the document root by launching a path traversal and file disclosure. The vulnerability can also be bypassed in apache 2.4.50. As there has been evidence of exploitation in the wild we advice to patch with high priority.

What you can do

If you run Apache HTTP server version 2.4.49/2.4.50, downgrade to 2.4.48 or upgrade to 2.4.51.

What we are doing

We are actively scanning for vulnerable machines on the internet.

Timeline

Date Description
29 Sept 2021 CVE-2021-41773 Reported by the ASF security team.
04 Okt 2021 CVE-2021-41773 patched and documented
05 Okt 2021 First version of this case file
05 Okt 2021 DIVD is actively scanning for vulnerable servers.
07 Okt 2021 Apache 2.51 released to mitigate CVE-2021-41773

More information