VulnWire
Critical - CVSS 9.8
Known Ransomware Use
Added 11/3/2021

Apache HTTP Server Path Traversal Vulnerability

CVE-2021-41773
Action was due by: 11/17/2021
CISA Known Exploited Vulnerability

This vulnerability is part of CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. It has been observed in ransomware campaigns.

Overview

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under default �require all denied� or if CGI scripts are enabled. The original patch issued under this CVE ID is insufficient, please review remediation information under CVE-2021-42013.

Vendor

Apache

Product

HTTP Server

Category

Web Application
Technical Details

Affected Versions

See vendor advisory

Technical Description

This vulnerability was identified in HTTP Server by Apache. Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under default �require all denied� or if CGI scripts are enabled. The original patch issued under this CVE ID is insufficient, please review remediation information under CVE-2021-42013.

Exploitability

High - Known ransomware exploitation

Impact

Complete system compromise possible

Additional Notes

https://nvd.nist.gov/vuln/detail/CVE-2021-41773

Required Action (CISA)

Apply updates per vendor instructions.

Due Date: 11/17/2021

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
https://nvd.nist.gov/vuln/detail/CVE-2021-41773
https://www.cisa.gov/known-exploited-vulnerabilities-catalog