Apache HTTP Server users have been advised to patch as soon as possible as a zero-day bug in the open-source cross-platform web server software is actively being exploited in the wild. At this time, it seems that over 100.000 servers have been vulnerable to attacks.
A few days after the Apache HTTP Server developers were notified about the vulnerability, Apache Software Foundation released version 2.4.50 in order to address it.
Cybersecurity specialist Ash Daulton was the one who found and reported the flaw to Apache HTTP Server on September 29, 2021.
The vulnerability exploited in the wild is tracked as CVE-2021-41773 and, according to researchers, is a path traversal and file disclosure flaw in the previous version (2.4.49).
What Is Apache HTTP Server?
The Apache HTTP Server is a free and open-source cross-platform web server software, developed and maintained by an open community of developers under the guidance of the Apache Software Foundation.
Most of the open-source HTTP Server instances run on a Linux distribution but current versions also run on Microsoft Windows, OpenVMS, and a wide variety of Unix-like systems.
An attacker could use a path traversal attack to map URLs to files outside the expected document root.