Path traversal in Apache HTTP Server - CVE-2021-41773
Published: October 5, 2021 / Updated: May 7, 2023
Vulnerability identifier: #VU57063
CSH Severity: Critical
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2021-41773
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: Apache Foundation
Affected software:
Apache HTTP Server
Apache HTTP Server
Detailed vulnerability description
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.
The vulnerability can be used to execute arbitrary OS commands on the system.
Note, the vulnerability is being actively exploited in the wild.
How to mitigate CVE-2021-41773
Install update from vendor's website.