Zero-day (CVE-2021-41773) vulnerability in Apache HTTP Server - Patch Manager Plus not vulnerable

Zero-day (CVE-2021-41773) vulnerability in Apache HTTP Server - Patch Manager Plus not vulnerable

Hello everyone,

A zero-day has been discovered in Apache HTTP Server. This vulnerability is tracked as CVE-2021-41773 and allows attackers to perform directory traversal attacks. This vulnerability is being exploited in the wild.

Vulnerability details: 

The vulnerability exists due to an input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.


[Update]

Patch Manager Plus Status:

CVE-2021-41773 vulnerability only affects Apache version 2.4.49 and 2.4.50. Patch Manager Plus runs versions of Apache versions lower than 2.4.48 and hence is not vulnerable to this zero-day.
 
Patch Status:  

Apache version 2.4.51 has been released. It is under testing and yet to be supported by Patch Manager Plus

 

Cheers,

The ManageEngine Team