[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-users
Subject:    [users@httpd] CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server
From:       Stefan Eissing <icing () apache ! org>
Date:       2021-10-05 9:03:14
Message-ID: e377474b-8d81-035a-bd74-3c20e4a7c144 () apache ! org
[Download RAW message or body]

Severity: important

Description:

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. \
An attacker could use a path traversal attack to map URLs to files outside the \
expected document root.  

If files outside of the document root are not protected by "require all denied" these \
requests can succeed. Additionally this flaw could leak the source of interpreted \
files like CGI scripts.

This issue is known to be exploited in the wild.

This issue only affects Apache 2.4.49 and not earlier versions.  

Credit:

This issue was reported by Ash Daulton along with the cPanel Security Team

References:

https://httpd.apache.org/security/vulnerabilities_24.html


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]