Apache has issued patches to handle two safety vulnerabilities, together with a path traversal and file disclosure flaw in its HTTP server that it stated is being actively exploited within the wild.
“A flaw was present in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker may use a path traversal assault to map URLs to information outdoors the anticipated doc root,” the open-source venture maintainers famous in an advisory printed Tuesday.
“If information outdoors of the doc root aren’t protected by ‘require all denied’ these requests can succeed. Moreover this flaw may leak the supply of interpreted information like CGI scripts.”
The flaw, tracked as CVE-2021-41773, impacts solely Apache HTTP server model 2.4.49. Ash Daulton and cPanel Safety Group have been credited with discovering and reporting the problem on September 29, 2021.
|Supply: PT SWARM|
Additionally resolved by Apache is a null pointer dereference vulnerability noticed throughout processing HTTP/2 requests (CVE-2021-41524), thus permitting an adversary to carry out a denial-of-service (DoS) assault on the server. The non-profit company stated the weak point was launched in model 2.4.49.
Apache customers are extremely really useful to patch as quickly as doable to comprise the trail traversal vulnerability and mitigate any threat related to energetic exploitation of the flaw.