PricingCareersContact Us
< Back to Blog

CVE-2021-41773: Apache HTTP Server v2.4.49 Path Traversal and File Disclosure leads to RCE

Dor Dali
 | Nov 18, 2021
 | Director of Information Security

The Apache HTTP server is one of the most common HTTP server frameworks on the internet. Yesterday (October 5th 2021), Apache released a security patch that fixes a critical vulnerability in their project – CVE-2021-41773. This vulnerability was disclosed by Ash Daulton and the CPanel security team on September 29 – not long after Apache had released an update to their HTTP server project. 

In this blog post we will introduce the recent CVE-2021-41773 and how to get it fixed. Spoiler alert: version upgrade.

What is the CVE-2021-41773 vulnerability?

This is a path traversal vulnerability which allows a malicious unauthenticated attacker to access private data and sensitive system files by using a special crafted payload. It was also found that by utilizing this vulnerability an attacker can also run commands on the server and fully compromise it.

This vulnerability was introduced to the Apache HTTP server project on September 15th 2021 by a change that was made to the path normalization.

Does it affect me?

If you have an Apache server running version 2.4.49 (Only this specific version) you are most likely affected and we suggest remediating it immediately.

 You can also check if you are affected by running the following one-liner script: 

(Change <host> with your suspected hostname)

curl --silent --path-as-is --insecure "http://<host>/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" | grep -q "root.*" && echo "Host is vulnerable" || echo "Host is Not vulnerable"

Has CVE-2021-41773 been actively exploited in the wild?

Yes. Full exploits for this vulnerability are already available online, and we have noticed quite a few real world exploitations of it.

How do I remediate CVE-2021-41773?

In order to remediate this vulnerability we suggest you upgrade Apache to the latest version 2.4.50. Check Vulcan Cyber Remedy Cloud fixes for CVE-2021-41773 for more remediation actions. By the way — the fact that the vulnerability was introduced in version 2.4.49 and got fixed in version 2.4.50 means probably most customers didn’t even get the chance to upgrade to this vulnerable version. 

You can also find available workarounds for any CVE in the Vulcan Remedy Cloud, the vulnerability-fix directory – for free.

About the Author

Dor Dali

Dor is a cyber security expert with years of experience in security research and security program management, He is very enthusiastic about all things security and holds a deep understanding and knowledge in the fields of web applications, product and infrastructure security.

Popular Posts

3 Keys to Actionable Cybersecurity Threat Intelligence

Read More >

A Closer Look at Vulnerability Disclosure Policy

Read More >

A History of the Vulnerability Management Lifecycle

Read More >
< Back to Blog
Did you find this interesting? Share it with others: