2021-10-06 Apache Server 2.4.49 Path traversal and file disclosure vulnerability (CVE-2021-33909 and CVE-2021-42013)
CVE-2021-41773 and CVE-2021-42013: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 and 2.4.50.
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root.
If files outside of the document root are not protected by “require all denied” these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.
This issue only affects Apache 2.4.49 and 2.4.50 versions and not earlier ones.
The Bitnami team is working to release new versions of the affected applications for all the supported platforms (virtual machines, cloud images, containers and Helm Charts).
If you have any questions about this security issue, you can visit this github repository in the case of cloud images, installers or VMs, or via GitHub issues in the case of Helm Charts and containers.