A flaw was found in Apache HTTP Server where an attacker could use a path traversal attack to map URLs to files outside the expected document root.
If files outside of the document root are not protected by "require all denied" these requests can succeed. This issue is known to be exploited in the wild.
This issue only affects Apache 2.4.49 and not earlier versions.
CVE : CVE-2021-41773
Vendor : Apache
Product : HTTPD
Patches : available
Exploits : exploits available (RCE as well)
Exploits and scanners
Test-POC and scanner-signatures are available since 2021-10-05 1600 UTC, since 2021-10-06 0100 UTC also an RCE-POC.
Massscanning started within 12hours
References:
- https://httpd.apache.org/security/vulnerabilities_24.html
Fragen? Kontakt: info@zero.bs