[ASA-202110-1] apache: directory traversal
diabonas at archlinux.org
Thu Oct 21 18:56:43 UTC 2021
Arch Linux Security Advisory ASA-202110-1
Date : 2021-10-21
CVE-ID : CVE-2021-42013
Package : apache
Type : directory traversal
Remote : Yes
Link : https://security.archlinux.org/AVG-2450
The package apache before version 2.4.51-1 is vulnerable to directory
Upgrade to 2.4.51-1.
# pacman -Syu "apache>=2.4.51-1"
The problem has been fixed upstream in version 2.4.51.
It was found that the fix for CVE-2021-41773 in Apache HTTP Server
2.4.50 was insufficient. An attacker could use a path traversal attack
to map URLs to files outside the directories configured by Alias-like
directives. If files outside of these directories are not protected by
the usual default configuration "require all denied", these requests
can succeed. If CGI scripts are also enabled for these aliased pathes,
this could allow for remote code execution. This issue only affects
Apache 2.4.49 and Apache 2.4.50 and not earlier versions.
A remote attacker could trick the HTTP server into executing arbitrary
executables in its file system through path traversal.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security