• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2021-41773 A Path Traversal And File Disclosure Vulnerability In Apache?
How to Fix CVE-2021-41773

A path traversal and file disclosure vulnerability is found in the Apache webserver. The report also reveals that vulnerability tracked as CVE-2021-41773 is being exploited in the wild. Let’s see how to fix CVE-2021-41773 the Path Traversal and File Disclosure vulnerability in the post.

What Is Apache?

Apache is one of the well-known web server applications being used for few decades. It is developed and maintained by Apache Software Foundation. Apache is the open-source application available for most of the operating systems from Linux distribution to Mac and Windows. According to the report Apache is serving approximately 30% of the web servers.

Summary Of CVE-2021-41773 a Path Traversal And File Disclosure Vulnerability:

Apache Software Foundation says this vulnerability was reported on 2021-09-29 and it was fixed in Apache HTTP Server v2.4.50 on 2021-10-01. According to the report “An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed.” They also added that this vulnerability could leak the source of interpreted files like CGI scripts.

Apache Versions Affecting CVE-2021-41773 Path Traversal And File Disclosure Vulnerability:

This vulnerability affects all the versions below Apache v2.4.50. Therefore it is required to fix CVE-2021-41773 Path Traversal and File Disclosure Vulnerability on all the versions including Apache v2.4.49.

Reported to the security team2021-09-29
fixed by r1893775 in 2.4.502021-10-01
Update 2.4.50 released2021-10-04
Affects2.4.49

How To Fix CVE-2021-41773 a Path Traversal And File Disclosure Vulnerability?

Apache has released a new version v2.4.50 in which the Path Traversal and File Disclosure Vulnerability (CVE-2021-41773) is fixed. Let’s see how to fix CVE-2021-41773 the Path Traversal and File Disclosure vulnerability in Apache. Let’s upgrade the Apache to the latest version v2.4.50 on Ubuntu or Linux Mint.

You can fix Fix CVE-2021-41773 a Path Traversal and File Disclosure Vulnerability in two ways.

  1. Update Apache server to greater then or equal to v2.4.50
  2. Set restrictions in apache2.conf file

Time needed: 10 minutes.

How to Fix CVE-2021-41773

  1. Method 1: Update system repositories

    Run the command on your Ubuntu server to update and upgrade repositories.

    $ sudo apt update && sudo apt upgrade -y

    Update the repositories

  2. Check the currently running version of the Apache server

    Run this command to check the Apache server version on the Ubuntu server.

    $ apache2 -v

    Check the apache version

  3. Add Apache PPA

    Update the Apache PPA to fetch the latest compiled package from the Ubuntu repository.

    $ sudo add-apt-repository ppa:ondrej/apache2 -y && sudo apt update

    Adding Apache PPA

  4. Install Apache2

    Upon adding the Apache PPA, install Apache from the new repositories.

    $ sudo apt install apache2

    Install apache2 on ubuntu

  5. Verify the upgrade after the successful installation of Apache

    Verify the version of Apache as shone in step 2.

    $ apache2 -v

    How to Fix CVE-2021-41773

  6. Method 2: Set restrictions in apache2.conf file


    Edit the apache2.conf file underneath /etc/apache2 directory using any text editor. We are using nano in this demonstration.

    $ sudo nano /etc/apache2/apache2.conf

    Edit apache2.conf file

  7. Set restrictions in apache2.conf file

    In the apache2.conf file locate these lines and change Require all to denied if you see granted. By the way, This configuration has been updated in v2.4.50. You need not to have this settings to update. However, ensure it is denied. This configuration will be able to fix the vulnerability no matter which version of Apache you have.

    <Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
    </Directory>

    After the completion of the change: write the changes to the file with Ctrl + o and Enter keys, Ctrl + x to exit the file.


    Set restrictions in apache2.conf file

How To Validate Your Site Is Vulnerable To CVE-2021-41773?

iilegaxyyii has created a python script to validate the Apache server is vulnerable to CVE-2021-41773. Download the python file and pass the IP address or URL of your site or application like this.

CVE-2021-41773.py [-h] host

Checks if an apache server is vulnerable to CVE-2021-41773.

positional arguments:
  host        ip/domain to be checked e.g. 'https://google.com/'

optional arguments:
  -h, --help  show this help message and exit

This is how you can upgrade the Apache server to v2.4.50 and fix CVE-2021-41773 the Path Traversal and File Disclosure vulnerability.

We hope this post will help you fixing CVE-2021-41773 the Path Traversal and File Disclosure vulnerability in the Apache server. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.