Proposal: Case Study for CVE-2021-41773 (Path Traversal in Apache HTTP Server) #67
Description
Hello,
I would like to propose a new secure coding case study for the following vulnerability:
CVE: CVE-2021-41773
Software: Apache HTTP Server
Language: C
Primary Weakness: CWE-22 – Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal")
Proposed Author: Greeshma Vasudeva Sagar
- Why this case study is valuable:
CVE-2021-41773 is a real-world path traversal vulnerability in Apache HTTP Server 2.4.49 that allows attackers to access files outside the intended document root. This vulnerability shows how improper handling of user input and path validation can lead to unauthorized file access.
This is a good case study because:
- Apache HTTP Server is widely used
- The vulnerable and fixed code are publicly available
- The root cause is clear and easy to understand
- It demonstrates a common and important security issue
- Proposed scope:
In this case study, we plan to:
- Explain what path traversal is (CWE-22)
- Show how the vulnerability happened in Apache HTTP Server
- Explain how an attacker could access restricted files
- Describe how the issue was fixed in the code
- Provide practical ways developers can avoid similar mistakes
- References
- Apache HTTP Server Project: https://httpd.apache.org/
- CVE-2021-41773: https://www.cve.org/CVERecord?id=CVE-2021-41773
- NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2021-41773
- CWE-22: https://cwe.mitre.org/data/definitions/22.html
- Apache Fix Commit: apache/httpd@4c79fd2
Group Members:
- Greeshma Vasudeva Sagar -- ( G Number : G01589341 )
- Adhityakumar Kandasamy -- ( G Number: G01585194 )
- Evangelina Kopela -- ( G Number: G01502543 )
Thank you !