Mageia 8: MGASA-2021-0470 Critical: Apache Remote Code Execution Risk
mageia
October 8, 2021
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient
Summary
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was
insufficient. An attacker could use a path traversal attack to map URLs to files
outside the directories configured by Alias-like directives. If files outside of
these directories are not protected by the usual default configuration "require
all denied", these requests can succeed. If CGI scripts are also enabled for
these aliased pathes, this could allow for remote code execution
(CVE-2021-42013).
References
- https://bugs.mageia.org/show_bug.cgi?id=29536
- https://downloads.apache.org/httpd/Announcement2.4.html
- - https://httpd.apache.org/security/vulnerabilities_24.html
- https://www.cve.org/CVERecord?id=CVE-2021-42013
Topics Covered
Resolution
SRPMS
- 8/core/apache-2.4.51-1.mga8
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 08 Oct 2021
URL: https://advisories.mageia.org/MGASA-2021-0470.html
Type: security
CVE: CVE-2021-42013
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!