#VU57063 Path traversal in Apache HTTP Server - CVE-2021-41773
Published: October 5, 2021 / Updated: May 7, 2023
Vulnerability identifier: #VU57063
Vulnerability risk: Critical
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2021-41773
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
Apache HTTP Server
Apache HTTP Server
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.
The vulnerability can be used to execute arbitrary OS commands on the system.
Note, the vulnerability is being actively exploited in the wild.
Remediation
Install update from vendor's website.