Tracked as CVE-2021-41773, the vulnerability is the result of an incomplete path normalization logic implemented in the Apache HTTP server 2.4.49 that in turn introduced a vulnerability.
Unfortunately, the vulnerability was exploited in the wild before it was reported to the Apache project, making it a zero-day.
Det som man har missat att kolla efter
när man kodar punkt med %-kodning, dvs som