Earlier this week, Apache HTTP Server users have been urged to immediately patch as a zero-day bug in the open-source cross-platform web server software is actively being exploited in the wild.

Apache Software Foundation released version 2.4.50 in order to address CVE-2021-41773, a path traversal and file disclosure flaw in the previous version (2.4.49).

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root

If files outside of the document root are not protected by “require all denied” these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.


Apache Issues a New Patch

Yesterday, the organization issued the HTTP Web Server 2.4.51 version as the previous fix didn’t work as expected, being incomplete.

The Apache HTTP Server is a free and open-source cross-platform web server software, developed and maintained by an open community of developers under the guidance of the Apache Software Foundation.

Most of the open-source HTTP Server instances run on a Linux distribution but current versions also run on Microsoft Windows, OpenVMS, and a wide variety of Unix-like systems.

As we said in our previous article, there were approximately 112,000 potentially exposed servers all over the world including United States (43,000), Germany (12,000), Canada (10,000), France (7,000), and the United Kingdom (4,000).

According to developers,

An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.

If files outside of these directories are not protected by the usual default configuration ‘require all denied’, these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.


Given the fact that so many servers are exposed to the vulnerability, the need for administrators to upgrade their Apache HTTP servers becomes even more crucial.

What Happened After the Last Fix?

Yesterday, Apache Software Foundation issued version 2.4.51 after it realized that the previously released patch for CVE-2021-41773 vulnerability was not sufficient.

The new patch addresses path traversal and remote code execution flaws CVE-2021-41773 and CVE-2021-42013, existing in Apache HTTP Server versions 2.4.49 and 2.4.50.

The security researchers Juan Escobar from Dreamlab Technologies, Fernando Muñoz from Null Life CTF Team, and Shungo Kumasaka were the ones to discover the incomplete patch for the CVE-2021-41773 flaw, as well as the new vulnerability –  CVE-2021-42013

According to the United States Computer Emergency Readiness Team (US-CERT), the newly discovered issue is also being used in ongoing campaigns.

System administrators are advised to upgrade their servers to the new version as soon as possible.

Apache HTTP Server Zero-day Vulnerability Exploited in the Wild, Users Should Patch ASAP

Apache Airflow Servers Leak Thousands of Credentials

11 Zero-Day Flaws Exploited in 2020 Campaigns, Google Reports

Leave a Reply

Your email address will not be published. Required fields are marked *