Apache web server path traversal and file disclosure vulnerability (CVE-2021-41773)

Apache Software released patch for zero-day vulnerability in Apache HTTP server affecting version 2.4.49 of 4e October 2021. The vulnerability was discovered by cPanel Security and is actively exploited in the wild.

This flaw could allow path traversal and subsequent file disclosure. Path traversal issues allow unauthorized users to access files outside of the expected document root on the web server. The problem could also expose the source of interpreted files such as CGI scripts, the advisory added, which may contain sensitive information that attackers could use for other attacks.

This zero-day vulnerability is now known to lead to remote code execution provided mod-cgi is enabled on the server, as security researcher Hacker Fantastic noted on Twitter.

What are the risks ?

The Apache HTTP Server is a popular open source HTTP server for operating systems including Windows and * nix by the Apache Software Foundation.

A Shodan search shows approximately 1711 Apache HTTP servers running the vulnerable version. The vulnerability is applicable when files outside of the document root are not protected by “require all denied”.

Several functional exploits are already publicly available, and no user permission required to exploit the vulnerability makes exploitation easy for a remote attacker.


The fix was included in version 2.4.50 and released on October 4, 2021. We strongly advise customers to update their installations as soon as possible.

Restrict access to files outside of the document root by using “require all denied”.

Indusface Web Application Scanner (WAS) performs a scan on the server and identifies this vulnerability through a non-intrusive remote network test.

Induface AppTranaThe / Total Application Security (TAS) platform protects against exploitation of vulnerabilities in web applications and web servers, including this vulnerability.

web application security banner

The Apache Web Server Path Traversal and File Disclosure Vulnerability (CVE-2021-41773) post appeared first on Indusface.

*** This is an Indusface Security Bloggers Network syndicated blog written by Vivek Gopalan. Read the original post at: https://www.indusface.com/blog/apache-web-server-path-traversal-and-file-disclosure-vulnerability-cve-2021-41773/

Comments are closed.