A patch that was released to fix a path traversal bug in Apache HTTP Server is insufficient in protecting against the vulnerability and could allow for remote code execution (RCE).
The high-impact vulnerability was thought to have been fixed in Apache Server version 2.4.50, which was released earlier this week.However not only did the update fail to resolve the issue, developers of the software are also now warning it presents a bigger security issue than previously thought.
The team behind Apache HTTP Server revealed that the update does not protect against a critical RCE bug, which is being exploited in the wild.An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.
A September update to Apache HTTP Server 2.4 was released to address a number of issues including server-side request forgery (SSRF) and request smuggling bugs. These were patched in version 2.4.49, however the update also introduced a new vulnerability when a flaw was found in changes made to the path normalization process.
This new issue allowed an attacker to use a path traversal attack to map URLs to files outside the expected document root.Apache patched the issue in version 2.4.50, but this update was later determined not to be sufficient.The developers then released the latest update 2.4.51 that addresses the path traversal bug as well as a newly-discovered RCE vulnerability.
Web admins are urged to update to version 2.4.51 which can be found in the Apache advisory