Apache introduces patches for vulnerabilities
Apache issued fixes to address two security vulnerabilities which included a path traversal and file disclosure flaw in its HTTP server. It claimed that this was being actively exploited in the wild.
Apache is a free and open-source cross-platform web server software. Developed and maintained by an open community of developers, it is under the sponsorship of the Apache Software Foundation.
The project maintainers noted in the advisory that a flaw was identified in a change in the path normalization in Apache HTTP Server 2.4.49. A threat actor could utilize a path traversal attack to link URLs to files outside the expected document root.
It has also been defined that if files outside of the document root are not secured, then these requests can succeed. Moreover, this flaw has the potential to leak the source of interpreted files such as the CGI scripts.
Discovered and Reported by Ash Daulton and cPanel Security Team, the vulnerability is tracked as CVE-2021-41773. It has been seen to affect only Apache HTTP server version 2.4.49.
Apache was also vigilant in resolving a null pointer dereference vulnerability detected during processing HTTP/2 requests which is termed CVE-2021-41524. This can be exploited by an attacker to carry out a denial-of-service (DoS) attack on the server.
In light of the detection made, Apache users are advised to patch as early as possible to hold the path traversal flaw and avoid any risk linked to the active exploitation of the flaw.