Apache has issued patches to handle two safety vulnerabilities, together with a path traversal and file disclosure flaw in its HTTP server that it stated is being actively exploited within the wild.
“A flaw was present in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker may use a path traversal assault to map URLs to recordsdata outdoors the anticipated doc root,” the open-source challenge maintainers noted in an advisory printed Tuesday.
“If recordsdata outdoors of the doc root aren’t protected by ‘require all denied’ these requests can succeed. Moreover this flaw may leak the supply of interpreted recordsdata like CGI scripts.”
The flaw, tracked as CVE-2021-41773, impacts solely Apache HTTP server model 2.4.49. Ash Daulton and cPanel Safety Staff have been credited with discovering and reporting the problem on September 29, 2021.
|Supply: PT SWARM|
Additionally resolved by Apache is a null pointer dereference vulnerability noticed throughout processing HTTP/2 requests (CVE-2021-41524), thus permitting an adversary to carry out a denial-of-service (DoS) assault on the server. The non-profit company stated the weak spot was launched in model 2.4.49.
Apache customers are highly recommended to patch as quickly as attainable to include the trail traversal vulnerability and mitigate any danger related to energetic exploitation of the flaw.