Apache HTTP Server Project patches exploited zero-day vulnerability
Apache HTTP Server Project developers are urging users to immediately implement a patch that resolves a zero-day vulnerability. According to a security advisory that was published yesterday, the bug is known to be actively exploited in the wild. Apache HTTP Server is an open-source project that focuses on the development of HTTP server software suitable for operating systems such as UNIX and Windows.
The security flaw in question was discovered by a security researcher on the cPanel security team in a change made to path normalization into the server software. An attacker could reportedly use a path traversal attack to map URLs to files outside the expected document root. The flaw could also leak the source or interpreted files such as CGI scripts. Positive Technologies has since reproduced the bug, tracked as CVE-2021-41773. Approximately 112,000 Apache servers are currently vulnerable, 40% of which are located in the US.