Apache Warns of Zero-Day Exploit within the Wild — Patch You Internet Servers Now!

Apache has issued patches to deal with two safety vulnerabilities, together with a path traversal and file disclosure flaw in its HTTP server that it mentioned is being actively exploited within the wild.

“A flaw was present in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker may use a path traversal assault to map URLs to information exterior the anticipated doc root,” the open-source mission maintainers noted in an advisory revealed Tuesday.

“If information exterior of the doc root aren’t protected by ‘require all denied’ these requests can succeed. Moreover this flaw may leak the supply of interpreted information like CGI scripts.”

Automatic GitHub Backups

The flaw, tracked as CVE-2021-41773, impacts solely Apache HTTP server model 2.4.49. Ash Daulton and cPanel Safety Group have been credited with discovering and reporting the difficulty on September 29, 2021.

Supply: PT SWARM

Additionally resolved by Apache is a null pointer dereference vulnerability noticed throughout processing HTTP/2 requests (CVE-2021-41524), thus permitting an adversary to carry out a denial-of-service (DoS) assault on the server. The non-profit company mentioned the weak point was launched in model 2.4.49.

Enterprise Password Management

Apache customers are highly recommended to patch as quickly as potential to comprise the trail traversal vulnerability and mitigate any threat related to lively exploitation of the flaw.

Source link