[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-users
Subject: [users@httpd] CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server
From: Stefan Eissing <icing () apache ! org>
Date: 2021-10-05 9:03:14
Message-ID: e377474b-8d81-035a-bd74-3c20e4a7c144 () apache ! org
[Download RAW message or body]
Severity: important
Description:
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. \
An attacker could use a path traversal attack to map URLs to files outside the \
expected document root.
If files outside of the document root are not protected by "require all denied" these \
requests can succeed. Additionally this flaw could leak the source of interpreted \
files like CGI scripts.
This issue is known to be exploited in the wild.
This issue only affects Apache 2.4.49 and not earlier versions.
Credit:
This issue was reported by Ash Daulton along with the cPanel Security Team
References:
https://httpd.apache.org/security/vulnerabilities_24.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic