#VU57063 Path traversal in Apache HTTP Server - CVE-2021-41773


| Updated: 2023-05-07

Vulnerability identifier: #VU57063

Vulnerability risk: Critical

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2021-41773

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Apache HTTP Server
Server applications / Web servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.

The vulnerability can be used to execute arbitrary OS commands on the system.

Note, the vulnerability is being actively exploited in the wild.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Apache HTTP Server: 2.4.49

External links
https://httpd.apache.org/security/vulnerabilities_24.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.


Latest bulletins with this vulnerability


Gentoo update for Apache HTTPD
Arch Linux update for apache
Amazon Linux AMI update for httpd24
Fedora 35 update for httpd
Slackware Linux update for httpd
Fedora 34 update for httpd
Slackware Linux update for httpd
Fedora 35 update for httpd
Fedora 34 update for httpd
Fedora 33 update for httpd