I. Overview

Apache has disclosed a path traversal vulnerability (CVE-2021-41773) in Apache HTTP Server 2.4.49 and the POC has been published. If <Directory /> Require all granted</Directory> is configured, remote attackers can use the path traversal attack to access files outside the file root directory on vulnerable web servers. If CGI is enabled on Apache HTTP Server 2.4.49, attackers can also construct malicious requests to remotely execute code.

If you are an Apache HTTP Server 2.4.49 user, check your service version and implement timely security hardening.

Reference link: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache HTTP Server: 2.4.49

Secure versions:

Apache HTTP Server: 2.4.50

Versions other than Apache HTTP Server 2.4.49

IV. Vulnerability Handling

Apache HTTP Server 2.4.49 is the official version released by Apache on September 15, 2021. If this version is not used, you do not need to fix the vulnerability. The vulnerability has been fixed in the latest version. If you are an Apache HTTP Server 2.4.49 user, upgrade it to a secure version as soon as possible.

Download link: https://httpd.apache.org/download.cgi

HUAWEI CLOUD WAF can defend against attacks exploiting this vulnerability. If you are a WAF user, set the Mode to Block in the Basic Web Protection configuration area. For details, see Configuring Basic Web Protection Rules.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.