"Apache Web Server Zero-Day Exposes Sensitive Data"

Apache Software has quickly issued a fix for a zero-day security bug in the Apache HTTP Server after a vulnerability was disclosed to them by researchers.  The vulnerability is under active exploitation in the wild and could allow attackers to access sensitive information.  According to a security advisory issued on Monday, the issue (CVE-2021-41773) could allow path traversal and subsequent file disclosure. Path traversal issues enable unauthorized individuals to access files on a web server by tricking either the web server or the web application running on it into returning files that exist outside of the web root folder.  The vulnerability is rated Important, with a CVSS score of 5.1 out of 10.  The vulnerability affects only version 2.4.49 of Apache’s open-source web server, which offers cross-platform operability with all modern operating systems, including UNIX and Windows.  The flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49.  Tenable noted that a Shodan search on Tuesday turned up about 112,000 Apache HTTP Servers that are confirmed to be running the vulnerable version, including 43,000 or so in the U.S.  Users can protect themselves by upgrading to version 2.4.50.

Threatpost reports: "Apache Web Server Zero-Day Exposes Sensitive Data"