A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
|Vulnerable Product||Search on Vulmon||Subscribe to Product|
apache http server 2.4.49
Get our weekly newsletter Plus two failings this week at Apache and Twitch and nostalgia for Flash fans
In brief Hipster beer maker Brewdog has been caught out by a basic, but potentially very expensive, security problem, and the team that discovered it says the Scottish tipple-merchant's response was hardly encouraging.
Research by security shop Pen Test Partners found that the Brewdog mobile app used the same hard-coded API Bearer Token to log in every single customer on their mobiles. This would allow anyone to access and use other people's accounts, including 200,000 "Equity for Punks" s...
Apache Software Foundation has released HTTP Web Server 2.4.51 after researchers discovered that a previous security update didn't correctly fix an actively exploited vulnerability.
Apache HTTP Server is an open-source, cross-platform web server that powers approximately
On Tuesday, Apache released Apache HTTP 2.4.50 to
in version 2.4.49 (tracked as CVE-2021-41773). This flaw allows threat actors to view the contents of files stored on a vulnerable server.
Get our weekly newsletter Unless you want to leak like a sieve
The Apache Software Foundation has hurried out a patch to address a pair of HTTP Web Server vulnerabilities, at least one of which is already being actively exploited.
Apache's HTTP Server is widely used, and the vulnerabilities, CVE-2021-41524 and CVE-2021-41773, aren't great. The latter, a path traversal and file disclosure flaw, is particularly problematic.
The former was reported to Apache's security team on 17 September and can be exploited by an external source to DoS a server ...
Proof-of-Concept (PoC) exploits for the Apache web server zero-day surfaced on the internet revealing that the vulnerability is far more critical than originally disclosed.
These exploits show that the scope of the vulnerability transcends path traversal, allowing attackers remote code execution (RCE) abilities.
Apache remains one of the most popular web servers of choice with over a
The path traversal vulnerability in Apache's HTTP server,
Apache Software has quickly issued a fix for a zero-day security bug in the Apache HTTP Server, which was first reported to the project last week. The vulnerability is under active exploitation in the wild, it said, and could allow attackers to access sensitive information.
According to a security advisory issued on Monday, the issue (CVE-2021-41773) could allow path traversal and subsequent file disclosure. Path traversal issues allow unauthorized people to access files on a web server, b...