Publication Date – October 20, 2021
Apache HTTP Web Server, one of the most used web servers across the globe, has a path traversal vulnerability that could be exploited to execute arbitrary commands and allows attackers to download files directly from the server.
The vulnerability is due to a bug in how the server converts URL path schemes in a process called “path normalization” or “URI normalization.” The URLs are mapped to files outside the expected document root. If files outside of the document root are not protected by “require all denied,” these requests can succeed.
This issue affects Apache versions 2.4.49 [CVE-2021-41773] and Apache 2.4.50 [CVE-2021-42013].
What You Can Do
Determine the Level of Exposure in Your Portfolio
- Use the Findings page to search for affected versions (2.4.49 and 2.4.50) and update Apache HTTP Server to version 2.4.51 or later. Refer to the Open Ports and Server Software (server version) risk vectors to search for findings.
- Use the Latest News card in your Portfolio Dashboard to search for companies in your portfolio that are potentially affected by this vulnerability.
Reporting
Recommended reports:
- Portfolio Impact – Quickly assess and communicate how this vulnerability affects your portfolio and share those findings with colleagues and executives.
- Portfolio Vulnerabilities – Discover the concentration of this vulnerability across your portfolio.