QID 87466

Date Published: 2021-10-11

QID 87466: Apache Hypertext Transfer Protocol (HTTP) Server Path Traversal Vulnerability

Apache HTTP Server is an HTTP web server application.

The fix for Path Traversal Vulnerability (CVE-2021-41773) in Apache HTTP Server 2.4.50 was insufficient and could be bypassed.

Affected Versions:
Apache Server version 2.4.49
Apache Server version 2.4.50

QID Detections Logic:
The QID sends a crafted GET request to see if the contents of /etc/passwd are revealed in the response.

A remote unauthenticated user could exploit this vulnerability to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.

  • CVSS V3 rated as Critical - 9.8 severity.
  • CVSS V2 rated as High - 7.5 severity.
    • Solution

    Customers are advised to upgrade to Apache HTTP Server 2.4.51. For more information refer to Apache HTTP Server

    Vendor References

    CVEs related to QID 87466

    CVE-2021-42013 |
    Software Advisories
    Advisory ID Software Component Link
    Apache HTTP Server URL Logo httpd.apache.org/download.cgi
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].