Vendor Advisory
AttackerKB
IVM Content
Patching Urgency
Last Update
CVE-2021-41773
Apache Advisory
AttackerKB
10/6/2021 (Scheduled)
ASAP
October 6, 2021 13:30 ET
On Monday, October 4, 2021, Apache published an advisory on CVE-2021-41773, an unauthenticated remote file disclosure vulnerability in HTTP Server version 2.4.49 (and only in 2.4.49). The vulnerability arises from the mishandling of URL-encoded path traversal characters in the HTTP GET request. Public proof-of-concept exploit code is widely available, and Apache and others have noted that this vulnerability is being exploited in the wild.
While the original advisory indicated that CVE-2021-41773 was merely an information disclosure bug, both Rapid7 and community researchers have verified that the vulnerability can be used for remote code execution when mod_cgi is enabled. While mod_cgi is not enabled in the default Apache Server HTTP configuration, it’s also not an uncommon feature to enable. With mod_cgi enabled, an attacker can execute arbitrary programs via HTTP POST requests. The initial RCE proof of concept resulted in blind command execution, and there have been multiple proofs of concept that coerce the HTTP server into sending the program’s output back to the attacker. Rapid7’s research team has a full root cause analysis of CVE-2021-41773 here along ..
Support the originator by clicking the read the rest link below.
