Apache web servers Flaw allows Hacker Access Root Files

Attackers are currently targeting Apache web servers. But only a certain version is threatened.

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to access files outside the document root directory of web servers based on Apache. 

The path traversal vulnerability dubbed as CVE-2021-41773 only affects the Apache HTTP server version 2.4.49. This is CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that resides in Apache HTTP server version 2.4.49, where attackers could use special crafted URLs to view files outside the document root directory. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. 

Apache HTTP Server developers advice to the security mechanism is not active by default. So with this scenario, there is no official classification of the severity of the vulnerability. The Apache team rates the security update as "important ".

On the security advisory, the Apache team have stated that they have fixed the loopholes in the latest version of Apache HTTP Server 2.4.50. Another bug crept in in version 2.4.49, which has been corrected in the current version. By successfully exploiting the second loophole (CVE-2021-41524), attackers should be able to trigger DoS states with prepared HTTP / 2 requests.