A zero-day has been discovered in Apache HTTP Server. This vulnerability is tracked as CVE-2021-41773 and allows attackers to perform directory traversal attacks. This vulnerability is being exploited in the wild.
The vulnerability exists due to an input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.
Patch Manager Plus Status:
Apache version 2.4.51 has been released. It is under testing and yet to be supported by Patch Manager Plus
The ManageEngine Team