On October 5, 2021, The Apache Software Foundation disclosed a path traversal and file disclosure vulnerability (CVE-2021-41773) that affects Apache HTTP Server version 2.4.49. Path traversal attacks (also known as directory traversal, dot-dot-slash, directory climbing, and backtracking) allow a threat actor to access arbitrary files and directories on the vulnerable web server. Apache confirmed that this vulnerability is in active exploitation, and there are reports that proof-of-concept exploits are publicly available.
Based on the ubiquity of Apache HTTP Server, this vulnerability could affect a significant number of organizations. Internet scan data indicates that as of this publication there are approximately 113,000 Apache servers running the vulnerable version. The flaw affects the default product configuration.
Recommended actions:
Our Security Partner recommends that customers upgrades vulnerable Apache HTTP Servers as appropriate in their environments as soon as possible.
Questions:
If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk
