Apache 2.4.49 Path Traversal and RCE
Impact: High
Description
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed.
If the mod_cgi module is enabled, an attacker can execute arbitrary commands on the server using this vulnerability.
Recommendation
Upgrade Apache HTTP server
References
- CVE-2021-41773
- CVE-2021-42013
- Apache HTTP Server
- OWASP 2017-A9
- OWASP 2021-A6
- CWE-22
- OWASP 2017-A5
- OWASP 2021-A1
- CWE-77
- OWASP 2017-A1
- OWASP 2021-A3
👉 You might also like:
Web Server Path Traversal - CVE-2017-14849
Drupal 'Drupalgeddon2' Remote Code Execution - CVE-2018-7600
The ShellShock Bug - CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278
Joomla! 1.5 < 3.4.5 RCE - CVE-2015-8562
Last updated on October 10, 2021