Multiple Vulnerabilities in Apache HTTP Server

Post author:shashikant redekar
Post published:October 10, 2021
Post category:Cyber Security
Post comments:0 Comments

Original Issue Date: October 06, 2021

Severity Rating: High

Software Affected

Apache HTTP Server version 2.4.49

Overview

Multiple vulnerabilities have been reported in Apache HTTP Server which could be exploited by a remote attacker to execute arbitrary code or cause denial of service conditions on the target system.

Description

1. Directory traversal Vulnerability ( CVE-2021-41773 )

The vulnerability exists in Apache HTTP Server due to incomplete path normalization logic implemented. A remote attacker could exploit this vulnerability by sending specially crafted requests to map URLs to files outside the expected document root.

Successful exploitation of this vulnerability could allow a remote attacker to traverse directories on the system, if files outside of the document root are not protected by “require all denied” these requests can succeed. This vulnerability could also expose the source of interpreted files like CGI scripts, which may be used for further attacks.

Note: This issue is currently exploited in the wild, users are advised to upgrade urgently.

2. Denial of Service Vulnerability ( CVE-2021-41524 ) This vulnerability exists in Apache HTTP Server due to NULL pointer dereference error in HTTP/2 requests. A remote attacker could exploit this vulnerability by sending a specially crafted request to perform a denial of service(DoS) condition on the targeted system.

Solution

Upgrade to Apache HTTP Server 2.4.50:

Please Share This Share this content

You Might Also Like

OGNL injection vulnerability in Confluence Server and Data Center

Privilege escalation vulnerability in VMware Tools for Windows

Spoofing Vulnerability in Microsoft Edge (Chromium-based)

Leave a Reply Cancel reply

Share this content