Apache HTTP Server Insecure Path Normalization (CVE-2021-41773, CVE-2021-42013)
Description
Apache HTTP Server versions 2.4.49 and 2.4.50 contain a critical path normalization vulnerability that allows attackers to bypass access controls through directory traversal. The flaw occurs when the server incorrectly processes URL-encoded path sequences (such as /.%2e/), enabling unauthorized access to files outside the document root. When combined with specific configurations (such as CGI script execution or mod_cgi enabled), this vulnerability can be escalated to achieve remote code execution on the affected server.
Remediation
Immediately upgrade Apache HTTP Server to version 2.4.51 or later, which contains fixes for both CVE-2021-41773 and CVE-2021-42013. Follow these steps:<br/><br/>1. Verify your current Apache version by running: <pre>httpd -v</pre> or <pre>apache2 -v</pre><br/>2. Download Apache HTTP Server 2.4.51 or later from the official Apache website<br/>3. Follow your distribution's standard upgrade procedure or compile from source<br/>4. After upgrading, restart the Apache service<br/>5. Verify the new version is running and test your applications for compatibility<br/><br/>As a temporary mitigation if immediate patching is not possible, disable CGI script execution and ensure that 'Require all denied' directives are properly configured for sensitive directories. However, upgrading remains the only complete solution to address this vulnerability.