Apache 2.4.49 Path Traversal and RCE
Impact: High
Description
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed.
If the mod_cgi
module is enabled, an attacker can execute arbitrary commands on the server using this vulnerability.
Recommendation
Upgrade Apache HTTP server
References
- CVE-2021-41773
- CVE-2021-42013
- Apache HTTP Server
- OWASP 2017-A9
- OWASP 2021-A6
- CWE-22
- OWASP 2017-A5
- OWASP 2021-A1
- CWE-77
- OWASP 2017-A1
- OWASP 2021-A3
- CWE-20
👉 You might also like:
Apache Struts 2 Forced double OGNL evaluation S2-059 - CVE-2019-0230
Apache Struts 2 RCE S2-045 - CVE-2017-5638
Apache Struts 2 REST plugin XStream RCE S2-052 - CVE-2017-9805
Apache Struts OGNL expression RCE S2-057 - CVE-2018-11776
Last updated on October 10, 2021