CVE-2021-41773 Apache Web 0day
A new apache 0day vulnerability has just been announced that affects Apache version 2.4.49. “A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root.” Further information can be found here.
This would allow an attacker to retrieve sensitive files on the server, such as configuration files that contain credentials for example. Furthermore, researchers have found a way to leverage this into remote code execution – allowing an unauthenticated attacker to run commands on the affected server
The CVE is currently being exploited in the wild by malicious actors – as such we recommend all our clients to update to Apache HTTP Server 2.4.50 immediately if you are running the affected version (2.4.49).