Apache has issued patches to handle two protection vulnerabilities, including a path traversal and file disclosure flaw in its HTTP server that it said is currently being actively exploited in the wild.
“A flaw was uncovered in a adjust built to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal assault to map URLs to information outside the anticipated document root,” the open-resource job maintainers observed in an advisory revealed Tuesday.
“If documents outside the house of the document root are not secured by ‘require all denied’ these requests can be successful. Moreover this flaw could leak the supply of interpreted data files like CGI scripts.”
The flaw, tracked as CVE-2021-41773, affects only Apache HTTP server edition 2.4.49. Ash Daulton and cPanel Stability Workforce have been credited with exploring and reporting the issue on September 29, 2021.
|Source: PT SWARM|
Also resolved by Apache is a null pointer dereference vulnerability noticed for the duration of processing HTTP/2 requests (CVE-2021-41524), thus enabling an adversary to conduct a denial-of-company (DoS) assault on the server. The non-gain corporation stated the weakness was introduced in version 2.4.49.
Apache people are remarkably advisable to patch as shortly as probable to include the route traversal vulnerability and mitigate any threat involved with lively exploitation of the flaw.