Apache 2.4.49 Path Traversal and RCE

Description

A vulnerability was discovered in Apache HTTP Server 2.4.49 related to changes made to path normalization. This flaw enables attackers to perform path traversal attacks, allowing them to map URLs to files located outside the expected document root. If files outside of the document root are not adequately protected by access controls, these requests can succeed. Additionally, if the mod_cgi module is enabled, attackers can exploit this vulnerability to execute arbitrary commands on the server.

Recommendation

To mitigate this vulnerability, it is recommended to upgrade Apache HTTP Server to the latest secure version available.

References

• Apache HTTP Server
• CVE-2021-41773
• CVE-2021-42013
• CWE-20
• CWE-22
• CWE-78
• OWASP 2021-A3
• OWASP 2021-A6