[ SB 21.20 ] Critical Bug in Apache HTTPD can lead to RCE (CVE-2021-41773)

Apache HTTPD Advisory

A flaw was found in Apache HTTP Server where an attacker could use a path traversal attack to map URLs to files outside the expected document root.

If files outside of the document root are not protected by "require all denied" these requests can succeed. This issue is known to be exploited in the wild.

This issue only affects Apache 2.4.49 and not earlier versions.

CVE       : CVE-2021-41773
Vendor    : Apache
Product   : HTTPD

Patches   : available
Exploits  : exploits available (RCE as well)

Exploits and scanners

Test-POC and scanner-signatures are available since 2021-10-05 1600 UTC, since 2021-10-06 0100 UTC also an RCE-POC.

Massscannign started within 12hours


rce


rce


rce

References:

  • https://httpd.apache.org/security/vulnerabilities_24.html




Fragen? Kontakt: info@zero.bs