Apache Web Server Zero-Day Exposes Sensitive Data

The open-source project has rolled out a fix for CVE--41773, for which public cyberattack exploit code is circulating.

Apache has quickly issued a fix for a zero-day security bug in the Apache HTTP Server, which was first reported to the project last week. The is under active exploitation in the wild, it said, and could allow attackers to access sensitive information.

According to a security advisory issued on Monday, the issue (CVE-2021-41773) could allow path traversal and subsequent file disclosure. Path traversal issues allow unauthorized people to access files on a web server, by tricking either the web server or the web application running on it into returning files that exist outside of the web root folder.

The vulnerability is rated Important, with a CVSS score of 5.1 out of 10.

In this case, the issue affects only version 2.4.49 of Apache’s open-source web server, which offers cross-platform operability with all modern operating systems, including UNIX and Windows.

“A was found in a change made to path normalization in Apache HTTP Server 2.4.49,” according to

Read More: https://threatpost.com/apache-web-server-zero-day-sensitive-data/175340/