Information on Apache CVE-2021-41773 and CVE-2021-42013 Vulnerabilities

Information on Apache CVE-2021-41773 and CVE-2021-42013 Vulnerabilities

On 4 October 2021, the Apache Software Foundation disclosed a vulnerability in Apache HTTP Server 2.4.49 version known as CVE-2021-41773.

On 4 October 2021, the Apache Software Foundation disclosed a vulnerability in Apache HTTP Server 2.4.49 version known as CVE-2021-41773. At the same time, the 2.4.50 update that fixed this vulnerability was released and made available to users.

However, the update for CVE-2021-41773 released on 7 October 2021 (as CVE-2021-42013) was reported to be an incomplete update/fix and contained a path normalization bug that allowed the attacker to access arbitrary files in an unauthorized manner.

Apache Software Foundation reports that an update to version 2.4.51 is required to reduce the risk of attacks on Apache servers.

CVE-2021-42013 vulnerability has not been evaluated by NIST and its CVE score has not been disclosed yet.

Details

• https://thehackernews.com/2021/10/new-patch-released-for-actively.html
• https://nvd.nist.gov/vuln/detail/CVE-2021-41773
• https://nvd.nist.gov/vuln/detail/CVE-2021-42013
• http://cwe.mitre.org/data/definitions/22.html
• https://httpd.apache.org/security/vulnerabilities_24.html