DIVD-2021-00027 - Apache HTTP 2.4.49 Path Traversal and File Disclosure
|Case lead||Ralph Horn|
|Product||Apache HTTP Server|
|Recommendation||Upgrade to 2.4.51|
|Patch status||Full patched|
Apache HTTP Server project version 2.4.49 has a vulnerability in their path normalization which allows an attacker to map URLs to files outside the document root by launching a path traversal and file disclosure. The vulnerability can also be bypassed in apache 2.4.50. As there has been evidence of exploitation in the wild we advice to patch with high priority.
What you can do
If you run Apache HTTP server version 2.4.49/2.4.50, downgrade to 2.4.48 or upgrade to 2.4.51.
What we are doing
We are actively scanning for vulnerable machines on the internet.
|29 Sept 2021||CVE-2021-41773 Reported by the ASF security team.|
|04 Okt 2021||CVE-2021-41773 patched and documented|
|05 Okt 2021||First version of this case file|
|05 Okt 2021||DIVD is actively scanning for vulnerable servers.|
|07 Okt 2021||Apache 2.51 released to mitigate CVE-2021-41773|
- Path Traversal Zero-Day in Apache HTTP Server Exploited
- Apache 2.4.50 Release Notes
- Apache fixes actively exploited web server zero-day
- NCSC Advisory NCSC-2021-0861