'Re: [oss-security] CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.
From:       Yann Ylavic <ylavic.dev () gmail ! com>
Date:       2021-10-15 23:31:50
Message-ID: CAKQ1sVPSjUzdxyb7n7xa5bPzPV4xwXg7cgniwNeuyhg46dBjwQ () mail ! gmail ! com
[Download RAW message or body]

Hi Rom=C3=A1n,

On Fri, Oct 15, 2021 at 8:01 PM Roman Medina-Heigl Hernandez
<roman@rs-labs.com> wrote:
>
> Re [1], I think this:
>
> "critical: Path traversal and file disclosure vulnerability in Apache HTT=
P Server 2.4.49 (CVE-2021-41773)"
>
> is still misleading and should read:
>
> "critical: Path traversal and Remote Code Execution vulnerability in Apac=
he HTTP Server 2.4.49 (CVE-2021-41773)"

I (for one) would argue that admins/vendors that ship a RCE-vulnerable
custom configuration should reserve a CVE like this to notify their
users.
httpd does not, at least.

Cheers;
Yann.
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic