Apache has issued patches to two security vulnerabilities which is tracked as CVE-2021-41773. This vulnerability affects only Apache HTTP server version 2.4.49. Ash Daulton and cPanel Security Team have been credited with discovering and reporting the issue on September 29, 2021.
With this flaw, an attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by ‘require all denied’ these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.
Apache also resolved a null pointer dereference vulnerability observed during processing HTTP/2 requests (CVE-2021-41524), which could allow an adversary to perform a denial-of-service (DoS) attack on the server. This weakness was introduced in version 2.4.49.
If you are an Apache user then you have to patch as soon as possible to contain the path traversal vulnerability and mitigate any risk associated with active exploitation of the flaw.