CVE-2021-41773 urgent Apache security fixes released

Apache has issued urgent security patches to address 2 new security vulnerabilities—including a zero-day path traversal and file disclosure flaw (CVE-2021-41773) in HTTP servers that it said is being actively exploited in the wild.

Since some chapters host their own website and may use Apache, I’ve posted it here to alert them. I’ll also tag the @it-team to notify them. This forum uses Nginx as a web server, so we’re good.

Details:

Dose this effect https?

Hi @shaunmac, welcome to the forum! :slight_smile:

No this flaw can make it possible for an attacker to see the directory structure that’s being hosted as well as what’s outside of that.

An attacker could use a path traversal attack to map URLs to files outside the expected document root

In other words, attackers could have a look at the system’s internal file and directory structure.

Please consider to leave an introduction here so we may get to know you better. Thanks!