Apache has issued patches to deal with two safety vulnerabilities, together with a path traversal and file disclosure flaw in its HTTP server that it mentioned is being actively exploited within the wild.
“A flaw was present in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker may use a path traversal assault to map URLs to information exterior the anticipated doc root,” the open-source mission maintainersin an advisory revealed Tuesday.
“If information exterior of the doc root aren’t protected by ‘require all denied’ these requests can succeed. Moreover this flaw may leak the supply of interpreted information like CGI scripts.”
The flaw, tracked as, impacts solely Apache HTTP server model 2.4.49. Ash Daulton and cPanel Safety Group have been credited with discovering and reporting the difficulty on September 29, 2021.
|Supply: PT SWARM|
Additionally resolved by Apache is a null pointer dereference vulnerability noticed throughout processing HTTP/2 requests (), thus permitting an adversary to carry out a denial-of-service (DoS) assault on the server. The non-profit company mentioned the weak point was launched in model 2.4.49.
Apache customers areto patch as quickly as potential to comprise the trail traversal vulnerability and mitigate any threat related to lively exploitation of the flaw.