Arch Linux Security Advisory ASA-202110-1
=========================================

Severity: Critical
Date    : 2021-10-21
CVE-ID  : CVE-2021-42013
Package : apache
Type    : directory traversal
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2450

Summary
=======

The package apache before version 2.4.51-1 is vulnerable to directory
traversal.

Resolution
==========

Upgrade to 2.4.51-1.

# pacman -Syu "apache>=2.4.51-1"

The problem has been fixed upstream in version 2.4.51.

Workaround
==========

None.

Description
===========

It was found that the fix for CVE-2021-41773 in Apache HTTP Server
2.4.50 was insufficient. An attacker could use a path traversal attack
to map URLs to files outside the directories configured by Alias-like
directives. If files outside of these directories are not protected by
the usual default configuration "require all denied", these requests
can succeed. If CGI scripts are also enabled for these aliased pathes,
this could allow for remote code execution. This issue only affects
Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

Impact
======

A remote attacker could trick the HTTP server into executing arbitrary
executables in its file system through path traversal.

References
==========

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013
https://twitter.com/roman_soft/status/1446252280597078024
https://github.com/icing/blog/blob/main/httpd-2.4.50.md
https://svn.apache.org/viewvc?view=revision&revision=1893971
https://security.archlinux.org/CVE-2021-42013