Apache sårbarhet, zero-day, directory traversal

Zero-day actively exploited in the wild


Tracked as CVE-2021-41773, the vulnerability is the result of an incomplete path normalization logic implemented in the Apache HTTP server 2.4.49 that in turn introduced a vulnerability.

Unfortunately, the vulnerability was exploited in the wild before it was reported to the Apache project, making it a zero-day.

Det som man har missat att kolla efter “../” när man kodar punkt med %-kodning, dvs som “%2E” vilket blir samma sak som punkt i en URL.

Apache har släppt en patchHÄR