The Apache Software Foundation has released a security update to address a zero-day in the Apache HTTP Server actively exploited by hackers.
Tracked as CVE-2021-41773, the issue is a path traversal vulnerability that exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, the bug could leak the source of interpreted files like CGI scripts.
CVE-2021-41773 affects Apache HTTP Server 2.4.49.
Apache has also resolved a NULL pointer dereference issue (CVE-2021-41524) impacting Apache HTTP Server 2.4.49. The bug stems from a NULL pointer dereference error when processing HTTP/2 requests and allows a remote attacker to perform DoS (denial-of-service) attack.