[German]A 0-day vulnerability (CVE-2021-41773) and another vulnerability that is already being actively exploited in the wild have been made public in Apache web servers. The Apache Software Foundation (ASF) has released security updates to close the new vulnerabilities. Updating Apache installations with the affected patches is urgent.
Security researcher Kevin Beaumont points out in the following tweet that the newly disclosed Path Traversal vulnerability (CVE-2021-41773) in Apache 2.4.49 appeared as a Unicode vulnerability back in 2000.
Attacks exploiting this flaw have already been discovered by Ash Daulton and the cPanel security team. They then reported the problem to the Apache team.
The Apache Software Foundation has published this security advisory on Apache 2.4 vulnerabilities. The Path Traversal vulnerability (CVE-2021-41773) is only present in Apache 2.4.49 and has been fixed in version 2.4.50. "An attacker could use a path traversal attack to point URLs to files outside the expected document root," the Apache Software Foundation wrote in the Apache HTTP Server 2.4.50 changelog. "If files outside the document root are not protected by 'require all denied,' these requests could succeed. Also, this bug could expose the source code of interpreted files such as CGI scripts," it continues.
The Hacker News points out the vulnerabilities in the above tweet and in this post. Another post with some information can be found at The Record Media. Meanwhile, security researchers have posted several proof-of-concept exploits on Twitter, which are linked in the article in question.
Addendum: Since the first patch was incomplete, the Apache Foundation has followed up with an update. Bleeping Computer has published an article about it here.
Cookies helps to fund this blog: Cookie settings