The Apache HTTP Server Project has patched a path traversal and file disclosure vulnerability (CVE-2021-41773) in Apache HTTP Server 2.4.49.
A cyber attacker could exploit this vulnerability to access sensitive information.
The Apache HTTP Server Project’s goals are to develop and maintain a “secure, efficient and extensible” open-source HTTP server for Windows and UNIX operating systems.
Originally launched in 1995, Apache HTTP Server (“httpd”) has been one of the most popular web servers on the internet since 1996.
Apache described the issue in a recently released security advisory on October 4:
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root.
If files outside of the document root are not protected by “require all denied” these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.
Apache HTTP Server Foundation
Most importantly, Apache has confirmed this issue “is known to be exploited in the wild.”
Moreover, Apache also fixed a Moderate rated null pointer dereference in h2 fuzzing vulnerability (CVE-2021-41524). However, no exploits of this issue have been reported in the wild as of the original advisory posting.
Both of these issues are fixed with Apache 2.4.50 and only affect Apache 2.4.49 (and not earlier versions).