Zero-day (CVE-2021-41773) vulnerability in Apache HTTP Server - Vulnerability Manager Plus not vulnerable

Zero-day (CVE-2021-41773) vulnerability in Apache HTTP Server - Vulnerability Manager Plus not vulnerable

Hello everyone,

A zero-day has been discovered in Apache HTTP Server. This vulnerability is tracked as CVE-2021-41773 and allows attackers to perform directory traversal attacks. This vulnerability is being exploited in the wild.

Vulnerability details: 

The vulnerability exists due to an input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.

In Vulnerability Manager Plus: 

In Vulnerability Manager Plus, you can find this vulnerability under the Zero-day vulnerabilities tab.

[Update]

Vulnerability Manager Plus Status:

CVE-2021-41773 vulnerability only affects Apache version 2.4.49 and 2.4.50. Vulnerability Manager Plus runs versions of Apache versions lower than 2.4.48 and hence is not vulnerable to this zero-day.
 
Patch Status:  

Apache version 2.4.51 has been released. It is under testing and yet to be supported by Vulnerability Manager Plus

 

Cheers,

The ManageEngine Team