Apache just patched two security vulnerabilities (CVE-2021-41773 and CVE-2021-33193) in Apache HTTP Server 2.4.49, one of which important and the other one moderate.
CVE-2021-41773 is a path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49. There are reports that indicate the vulnerability has been exploited in the wild. According to the official advisory, the flaw was reported by Ash Daulton along with the cPanel Security Team.
“A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root,” the advisory said. The vulnerability could also be exploited to leak the source of interpreted files such as CGI scripts.
The flaw has been rated as important.
This vulnerability can be triggered by “a crafted method sent through HTTP/2,” which can bypass validation and be forwarded by mod_proxy, eventually causing request splitting or cache poisoning. The flaw, which was reported by James Kettle of PortSwigger affects Apache HTTP Server 2.4.17 to 2.4.48, and has been rated as moderate.
Last year, Apache patched a couple of severe zero-days in its Apache Guacamole remote desktop gateway. The vulnerabilities were described as Reverse RDP vulnerabilities which could allow criminals to take over sessions. The issues were tracked in the CVE-2020-9497 advisory.