Security News > 2021 > October > New Patch Released for Actively Exploited 0-Day Apache Path Traversal to RCE Attacks

New Patch Released for Actively Exploited 0-Day Apache Path Traversal to RCE Attacks
2021-10-10 19:57

The Apache Software Foundation on Thursday released additional security updates for its HTTP Server product to remediate what it says is an "Incomplete fix" for an actively exploited path traversal and remote code execution flaw that it patched earlier this week.

CVE-2021-42013, as the new vulnerability is identified as, builds upon CVE-2021-41773, a flaw that impacted Apache web servers running version 2.4.49 and involved a path normalization bug that could enable an adversary to access and view arbitrary files stored on a vulnerable server.

Although the flaw was addressed by the maintainers in version 2.4.50, a day after the patches were released it became known that the weakness could also be abused to gain remote code execution if the "Mod cgi" module was loaded and the configuration "Require all denied" was absent, prompting Apache to issue another round of emergency updates.

"It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives," the company noted in an advisory.

"If files outside of these directories are not protected by the usual default configuration 'require all denied', these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution."

In light of active exploitation, users are highly recommended to update to the latest version to mitigate the risk associated with the flaw.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/6XEDAQCD1K4/new-patch-released-for-actively.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-10-07 CVE-2021-42013 It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient.
network
low complexity
apache fedoraproject oracle netapp
critical
9.8
2021-10-05 CVE-2021-41773 Path Traversal vulnerability in multiple products
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49.
network
low complexity
apache fedoraproject oracle netapp CWE-22
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apache 295 61 854 634 290 1839