The Apache Program Foundation on Thursday unveiled additional protection updates for its HTTP Server product or service to remediate what it suggests is an “incomplete resolve” for an actively exploited path traversal and remote code execution flaw that it patched earlier this week.
CVE-2021-42013, as the new vulnerability is recognized as, builds on CVE-2021-41773, a flaw that impacted Apache web servers jogging version 2.4.49 and associated a path normalization bug that could help an adversary to entry and look at arbitrary documents stored on a vulnerable server.
Although the flaw was tackled by the maintainers in model 2.4.50, a day right after the patches had been introduced it grew to become recognised that the weak point could also be abused to attain distant code execution if the “mod_cgi” module was loaded and the configuration “demand all denied” was absent, prompting Apache to concern a further spherical of unexpected emergency updates.
“It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal assault to map URLs to information outside the house the directories configured by Alias-like directives,” the enterprise famous in an advisory. “If information exterior of these directories are not protected by the standard default configuration ‘require all denied’, these requests can triumph. If CGI scripts are also enabled for these aliased paths, this could permit for remote code execution.”
Apache credited Juan Escobar from Dreamlab Technologies, Fernando Muñoz from NULL Daily life CTF Staff, and Shungo Kumasaka for reporting the vulnerability. In gentle of active exploitation, users are hugely advisable to update to the latest edition (2.4.51) to mitigate the hazard linked with the flaw.
The U.S. Cybersecurity and Infrastructure Security Company (CISA) said it is “observing ongoing scanning of vulnerable methods, which is predicted to speed up, most likely foremost to exploitation,” urging “companies to patch promptly if they haven’t presently.”