Apache warns of Zero-Day exploit, users are advised to patch their web servers ASAP. Apache has released patches to address two vulnerabilities, this includes a path traversal and file disclosure flaw in its HTTP server that it said is being actively exploited in the wild.
According to an Apache advisory published on Tuesday, “A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root.
It further mentioned, “If files outside of the document root are not protected by ‘require all denied’ these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.”
The vulnerability is being tracked as CVE-2021-41773, affects only Apache HTTP server version 2.4.49. The discovery was made by Ash Daulton and cPanel Security Team, who reported the issue on September 29, 2021.
Apache also resolved a null pointer dereference vulnerability observed during processing HTTP/2 requests (CVE-2021-41524). This allowed an adversary to perform a denial-of-service (DoS) attack on the server. According to Apache, the weakness was introduced in version 2.4.49.
All Apache users have been advised to patch ASAP to contain the path traversal vulnerability and mitigate any risk associated with the active exploitation of the flaw.
Google Chrome Browser Has Three Vulnerabilities
Air Gapped Systems Can Be Hacked by Creating Wireless Signals with Ethernet Cable
Apache Airflow Instances Misconfiguration leaks Credentials for Popular Services