Description
A vulnerability was discovered in Apache HTTP Server 2.4.49 related to changes made to path normalization. This flaw enables attackers to perform path traversal attacks, allowing them to map URLs to files located outside the expected document root. If files outside of the document root are not adequately protected by access controls, these requests can succeed. Additionally, if the mod_cgi module is enabled, attackers can exploit this vulnerability to execute arbitrary commands on the server.
Recommendation
To mitigate this vulnerability, it is recommended to upgrade Apache HTTP Server to the latest secure version available.
References
- Apache HTTP Server
- CVE-2021-41773
- CVE-2021-42013
- CWE-20
- CWE-22
- CWE-78
- CAPEC-126
- CAPEC-88
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Web Server Path Traversal - CVE-2017-14849
- Apache mod_proxy 2.4.48 SSRF - CVE-2021-40438
- Apache Struts 2 Forced double OGNL evaluation S2-059 - CVE-2019-0230
- Apache Struts 2 RCE S2-045 - CVE-2017-5638
- Tags:
- Path Traversal
- Apache
- RCE
- Web Server
- Injection
Anything's wrong? Let us know
Last updated on May 13, 2024