The directory path traversal flaw was fixed in a new point version, 2.4.50, only for a further fix to be required in a new version, 2.5.51.
In a new advisory, the project said: "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.
"If files outside these directories are not protected by the usual default configuration 'require all denied', these requests can succeed.
"This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions."
Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project https://t.co/Bq6dyi80FZ < lol incomplete fix of CVE-2021-41773 < CVE-2021-42013 affects 2.4.49 and 2.4.50 ?— Do█████ ██om████ ⚗ (@domineefh) October 11, 2021
Sophos researcher Paul Ducklin summed it up this way: "If the first patch arrives too quickly, then it may not have been reviewed or tested quite as much as you might like.
"So it’s not so much that the next patch in the queue catches up because the first one is too slow, but that the next one has to be completed in a rush to keep up…
"…and, if you aren’t careful, then that second patch might itself beget a third patch, needed to patch the patch that patched the first patch."
Juan Escobar from Dreamlab Technologies, Fernando Muñoz from NULL Life CTF Team, and independent researchers Shungo Kumasaka and Nattapon Jongcharoen were credited with having found the bug in 2.4.50.
Apache once had about 80% of the Web server software market, but in February this year, a survey by Netcraft found that its share had dropped to 26.3% of sites, 26.4% of domains and 32.7% of Web-facing computers.
nginx leads the Web server software market with 34.5% of sites, 30.4% of domains and 35% of Web-facing computers. But when it comes to the top million busiest sites, Apache has 25.5% of active sites, compared to 19.8% for nginx.