Security News > 2021 > October > Apache Web Server Zero-Day Exposes Sensitive Data
Apache Software has quickly issued a fix for a zero-day security bug in the Apache HTTP Server, which was first reported to the project last week.
Path traversal issues allow unauthorized people to access files on a web server, by tricking either the web server or the web application running on it into returning files that exist outside of the web root folder.
"A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49," according to the advisory.
The bug could also expose the source of interpreted files like CGI scripts, the advisory added, which which may contain sensitive information that attackers can exploit for further attacks.
We have reproduced the fresh CVE-2021-41773 Path Traversal vulnerability in Apache 2.4.49.
Tenable noted that a Shodan search on Tuesday turned up about 112,000 Apache HTTP Servers that are confirmed to be running the vulnerable version, including 43,000 or so in the U.S. "However, other vulnerable web servers might be configured to not display version information," according to the firm's blog.
News URL
https://threatpost.com/apache-web-server-zero-day-sensitive-data/175340/
Related news
- Apache fixes remote code execution bypass in Tomcat web server (source)
- New Windows Server 2012 zero-day gets free, unofficial patches (source)
- New critical Apache Struts flaw exploited to find vulnerable servers (source)
- Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-10-05 | CVE-2021-41773 | Path Traversal vulnerability in multiple products A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. | 7.5 |