![]() This QID sends a HTTP GET request to a invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host. This could potentially expose sensitive user data to attackers. ![]() Tomcat's RemoteIpFilter, when used with HTTP requests received from a reverse proxy that includes the X-Forwarded-Proto header set to https, may cause session cookies created by Tomcat to be transmitted over an insecure channel if the secure attribute is not included in the cookies. => Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation. => Apache Tomcat Information Disclosure Vulnerability (CVE-2023-28708) Please address comments about any linked pages to. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. ![]() CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. There may be other websites that are more appropriate for your purpose. No inferences should be drawn on account of other sites being referenced, or not, from this page. We have provided these links to other websites because they may have information that would be of interest to you. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.By selecting these links, you may be leaving CVEreport webspace. For more information, see Apache's advisory. CVE-2021-42013 has been fixed in HTTP Server version 2.4.51 released October 7, 2021. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution."ĬVE-2021-42013 has been assigned to track the incomplete fix for CVE-2021-41773. If files outside of these directories are not protected by the usual default configuration require all denied, these requests can succeed. According to their advisory, "an attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. October 7, 2021: Apache has updated their advisory to note that the patch for CVE-2021-41773 was incomplete, rendering HTTP Server 2.4.50 versions vulnerable when specific, non-default conditions are met. Rapid7 customersĪ remote vulnerability check for CVE-2021-41773 was released to InsightVM and Nexpose customers in the Octocontent update.Ī remote vulnerability check for CVE-2021-42013 was released to InsightVM and Nexpose customers in the Octocontent update. For more information, see Apache’s advisory here. If a vulnerable server is discovered, the server’s configuration file should be updated to include the filesystem directory directive with require all denied: Īpache HTTP Server users should update to 2.4.51 or later as soon as is practical. Organizations that are using Apache HTTP Server 2.4.49 or 2.4.50 should determine whether they are using vulnerable configurations. Our exposure estimate intentionally does not count multiple Apache servers on the same IP as different instances (this would substantially increase the number of exposed instances identified as vulnerable). Rapid7 Labs has identified roughly 65,000 potentially vulnerable versions of Apache httpd exposed to the public internet. Rapid7’s research team has a full root cause analysis of CVE-2021-41773 here along with proofs of concept. The initial RCE proof of concept resulted in blind command execution, and there have been multiple proofs of concept that coerce the HTTP server into sending the program’s output back to the attacker. With mod_cgi enabled, an attacker can execute arbitrary programs via HTTP POST requests. While mod_cgi is not enabled in the default Apache Server HTTP configuration, it’s also not an uncommon feature to enable. While the original advisory indicated that CVE-2021-41773 was merely an information disclosure bug, both Rapid7 and community researchers have verified that the vulnerability can be used for remote code execution when mod_cgi is enabled. Note that a non-default configuration is required for exploitability. Public proof-of-concept exploit code is widely available, and Apache and others have noted that this vulnerability is being exploited in the wild. The vulnerability arises from the mishandling of URL-encoded path traversal characters in the HTTP GET request. On Monday, October 4, 2021, Apache published an advisory on CVE-2021-41773, an unauthenticated remote file disclosure vulnerability in HTTP Server version 2.4.49 and 2.4.50 (see the Updates section for more on 2.4.50). See the Updates section at the end of this post for information on developments that occurred after initial publication.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |