Apache 2.4.49 Path Traversal and RCE

Impact: High


A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed. If the mod_cgi module is enabled, an attacker can execute arbitrary commands on the server using this vulnerability.


Upgrade Apache HTTP server


Last updated on October 10, 2021

This issue is available in SmartScanner Professional

See Pricing