A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and Apache HTTP Server 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild.
According to Shodan it seems that almost 112,000 Apache HTTP Servers are running the vulnerable version. It is estimated though that the number is higher than this, since Apache HTTP Servers might be configured to not display any version information.
Severity: 5.1 (Important)
Affected version: Apache 2.4.49 and Apache 2.4.50
All users should ensure that they update to the fixed version, 2.4.51 since the fix for CVE-2021-41773 in version 2.4.50 was insufficient.
