fkie_nvd - fkie_cve-2021-42013

fkie_cve-2021-42013

Vulnerability from fkie_nvd

Published

2021-10-07 16:15

Modified

2025-03-21 21:02

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

References

URL	Tags
security@apache.org	http://jvn.jp/en/jp/JVN51106450/index.html	Third Party Advisory
security@apache.org	http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
security@apache.org	http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
security@apache.org	http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
security@apache.org	http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
security@apache.org	http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-CVE-2021-42013-Exploitation.html	Third Party Advisory, VDB Entry
security@apache.org	http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
security@apache.org	http://www.openwall.com/lists/oss-security/2021/10/07/6	Mailing List, Third Party Advisory
security@apache.org	http://www.openwall.com/lists/oss-security/2021/10/08/1	Mailing List, Third Party Advisory
security@apache.org	http://www.openwall.com/lists/oss-security/2021/10/08/2	Mailing List, Third Party Advisory
security@apache.org	http://www.openwall.com/lists/oss-security/2021/10/08/3	Mailing List, Third Party Advisory
security@apache.org	http://www.openwall.com/lists/oss-security/2021/10/08/4	Mailing List, Third Party Advisory
security@apache.org	http://www.openwall.com/lists/oss-security/2021/10/08/5	Mailing List, Third Party Advisory
security@apache.org	http://www.openwall.com/lists/oss-security/2021/10/08/6	Mailing List, Third Party Advisory
security@apache.org	http://www.openwall.com/lists/oss-security/2021/10/09/1	Mailing List, Third Party Advisory
security@apache.org	http://www.openwall.com/lists/oss-security/2021/10/11/4	Mailing List, Third Party Advisory
security@apache.org	http://www.openwall.com/lists/oss-security/2021/10/15/3	Mailing List, Third Party Advisory
security@apache.org	http://www.openwall.com/lists/oss-security/2021/10/16/1	Mailing List, Third Party Advisory
security@apache.org	https://httpd.apache.org/security/vulnerabilities_24.html	Release Notes, Vendor Advisory
security@apache.org	https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E	Mailing List, Patch
security@apache.org	https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E	Mailing List
security@apache.org	https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E	Mailing List
security@apache.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/	Release Notes
security@apache.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/	Release Notes
security@apache.org	https://security.gentoo.org/glsa/202208-20	Third Party Advisory
security@apache.org	https://security.netapp.com/advisory/ntap-20211029-0009/	Third Party Advisory
security@apache.org	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ	Third Party Advisory
security@apache.org	https://www.oracle.com/security-alerts/cpuapr2022.html	Patch, Third Party Advisory
security@apache.org	https://www.oracle.com/security-alerts/cpujan2022.html	Patch, Third Party Advisory
security@apache.org	https://www.povilaika.com/apache-2-4-50-exploit/	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://jvn.jp/en/jp/JVN51106450/index.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-CVE-2021-42013-Exploitation.html	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2021/10/07/6	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2021/10/08/1	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2021/10/08/2	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2021/10/08/3	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2021/10/08/4	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2021/10/08/5	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2021/10/08/6	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2021/10/09/1	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2021/10/11/4	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2021/10/15/3	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2021/10/16/1	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://httpd.apache.org/security/vulnerabilities_24.html	Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E	Mailing List, Patch
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E	Mailing List
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E	Mailing List
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://security.gentoo.org/glsa/202208-20	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20211029-0009/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/security-alerts/cpuapr2022.html	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/security-alerts/cpujan2022.html	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.povilaika.com/apache-2-4-50-exploit/	Exploit, Third Party Advisory

Impacted products

Vendor	Product	Version
apache	http_server	2.4.49
apache	http_server	2.4.50
fedoraproject	fedora	34
fedoraproject	fedora	35
oracle	instantis_enterprisetrack	17.1
oracle	instantis_enterprisetrack	17.2
oracle	instantis_enterprisetrack	17.3
oracle	jd_edwards_enterpriseone_tools	*
oracle	secure_backup	*
netapp	cloud_backup	-

JSON

To clipboard

{
   cisaActionDue: "2021-11-17",
   cisaExploitAdd: "2021-11-03",
   cisaRequiredAction: "Apply updates per vendor instructions.",
   cisaVulnerabilityName: "Apache HTTP Server Path Traversal Vulnerability",
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*",
                     matchCriteriaId: "B201CFB2-F626-4DD0-9F6A-DFE8F64203E2",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:apache:http_server:2.4.50:*:*:*:*:*:*:*",
                     matchCriteriaId: "F7E0AFD3-D661-4631-86AB-D26F12083D1C",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
                     matchCriteriaId: "A930E247-0B43-43CB-98FF-6CE7B8189835",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                     matchCriteriaId: "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "82EA4BA7-C38B-4AF3-8914-9E3D089EBDD4",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "B9C9BC66-FA5F-4774-9BDA-7AB88E2839C4",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*",
                     matchCriteriaId: "7F69B9A5-F21B-4904-9F27-95C0F7A628E3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "86305E47-33E9-411C-B932-08C395C09982",
                     versionEndExcluding: "9.2.6.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:secure_backup:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "C01E8B82-71C7-4A4A-A70A-7B147524AB4A",
                     versionEndExcluding: "18.1.0.1.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "5C2089EE-5D7F-47EC-8EA5-0F69790564C4",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.",
      },
      {
         lang: "es",
         value: "Se ha detectado que la corrección de CVE-2021-41773 en Apache HTTP Server versión 2.4.50 no era suficiente. Un atacante podía usar un ataque de salto de ruta para asignar URLs a archivos fuera de los directorios configurados por las directivas tipo Alias. Si los archivos fuera de estos directorios no están protegidos por la configuración habitual por defecto \"require all denied\", estas peticiones pueden tener éxito. Si los scripts CGI también están habilitados para estas rutas alias, esto podría permitir una ejecución de código remota . Este problema sólo afecta a Apache versión  2.4.49 y Apache versión 2.4.50 y no a versiones anteriores",
      },
   ],
   id: "CVE-2021-42013",
   lastModified: "2025-03-21T21:02:08.750",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "HIGH",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "PARTIAL",
               baseScore: 7.5,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P",
               version: "2.0",
            },
            exploitabilityScore: 10,
            impactScore: 6.4,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 9.8,
               baseSeverity: "CRITICAL",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 5.9,
            source: "nvd@nist.gov",
            type: "Primary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 9.8,
               baseSeverity: "CRITICAL",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 5.9,
            source: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
            type: "Secondary",
         },
      ],
   },
   published: "2021-10-07T16:15:09.270",
   references: [
      {
         source: "security@apache.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://jvn.jp/en/jp/JVN51106450/index.html",
      },
      {
         source: "security@apache.org",
         tags: [
            "Exploit",
            "Third Party Advisory",
            "VDB Entry",
         ],
         url: "http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html",
      },
      {
         source: "security@apache.org",
         tags: [
            "Exploit",
            "Third Party Advisory",
            "VDB Entry",
         ],
         url: "http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html",
      },
      {
         source: "security@apache.org",
         tags: [
            "Exploit",
            "Third Party Advisory",
            "VDB Entry",
         ],
         url: "http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html",
      },
      {
         source: "security@apache.org",
         tags: [
            "Exploit",
            "Third Party Advisory",
            "VDB Entry",
         ],
         url: "http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html",
      },
      {
         source: "security@apache.org",
         tags: [
            "Third Party Advisory",
            "VDB Entry",
         ],
         url: "http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-CVE-2021-42013-Exploitation.html",
      },
      {
         source: "security@apache.org",
         tags: [
            "Exploit",
            "Third Party Advisory",
            "VDB Entry",
         ],
         url: "http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-Execution.html",
      },
      {
         source: "security@apache.org",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/07/6",
      },
      {
         source: "security@apache.org",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/08/1",
      },
      {
         source: "security@apache.org",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/08/2",
      },
      {
         source: "security@apache.org",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/08/3",
      },
      {
         source: "security@apache.org",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/08/4",
      },
      {
         source: "security@apache.org",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/08/5",
      },
      {
         source: "security@apache.org",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/08/6",
      },
      {
         source: "security@apache.org",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/09/1",
      },
      {
         source: "security@apache.org",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/11/4",
      },
      {
         source: "security@apache.org",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/15/3",
      },
      {
         source: "security@apache.org",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/16/1",
      },
      {
         source: "security@apache.org",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://httpd.apache.org/security/vulnerabilities_24.html",
      },
      {
         source: "security@apache.org",
         tags: [
            "Mailing List",
            "Patch",
         ],
         url: "https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "security@apache.org",
         tags: [
            "Mailing List",
         ],
         url: "https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E",
      },
      {
         source: "security@apache.org",
         tags: [
            "Mailing List",
         ],
         url: "https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E",
      },
      {
         source: "security@apache.org",
         tags: [
            "Release Notes",
         ],
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/",
      },
      {
         source: "security@apache.org",
         tags: [
            "Release Notes",
         ],
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/",
      },
      {
         source: "security@apache.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://security.gentoo.org/glsa/202208-20",
      },
      {
         source: "security@apache.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://security.netapp.com/advisory/ntap-20211029-0009/",
      },
      {
         source: "security@apache.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ",
      },
      {
         source: "security@apache.org",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuapr2022.html",
      },
      {
         source: "security@apache.org",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujan2022.html",
      },
      {
         source: "security@apache.org",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://www.povilaika.com/apache-2-4-50-exploit/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://jvn.jp/en/jp/JVN51106450/index.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Third Party Advisory",
            "VDB Entry",
         ],
         url: "http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Third Party Advisory",
            "VDB Entry",
         ],
         url: "http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Third Party Advisory",
            "VDB Entry",
         ],
         url: "http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Third Party Advisory",
            "VDB Entry",
         ],
         url: "http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
            "VDB Entry",
         ],
         url: "http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-CVE-2021-42013-Exploitation.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Third Party Advisory",
            "VDB Entry",
         ],
         url: "http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-Execution.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/07/6",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/08/1",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/08/2",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/08/3",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/08/4",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/08/5",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/08/6",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/09/1",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/11/4",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/15/3",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2021/10/16/1",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://httpd.apache.org/security/vulnerabilities_24.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Patch",
         ],
         url: "https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
         ],
         url: "https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
         ],
         url: "https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Release Notes",
         ],
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Release Notes",
         ],
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://security.gentoo.org/glsa/202208-20",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://security.netapp.com/advisory/ntap-20211029-0009/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuapr2022.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujan2022.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://www.povilaika.com/apache-2-4-50-exploit/",
      },
   ],
   sourceIdentifier: "security@apache.org",
   vulnStatus: "Analyzed",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-22",
            },
         ],
         source: "security@apache.org",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-22",
            },
            {
               lang: "en",
               value: "NVD-CWE-Other",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

cve-2021-42013

Vulnerability from cvelistv5

Published

2021-10-07 15:50

Modified

2025-02-04 14:29

Severity ?

Summary

References

▼	URL	Tags
	https://httpd.apache.org/security/vulnerabilities_24.html	x_refsource_MISC
	https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E	mailing-list, x_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2021/10/07/6	mailing-list, x_refsource_MLIST
	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ	vendor-advisory, x_refsource_CISCO
	http://jvn.jp/en/jp/JVN51106450/index.html	third-party-advisory, x_refsource_JVN
	http://www.openwall.com/lists/oss-security/2021/10/08/1	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E	mailing-list, x_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2021/10/08/2	mailing-list, x_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2021/10/08/3	mailing-list, x_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2021/10/08/4	mailing-list, x_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2021/10/08/6	mailing-list, x_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2021/10/08/5	mailing-list, x_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2021/10/09/1	mailing-list, x_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2021/10/11/4	mailing-list, x_refsource_MLIST
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/	vendor-advisory, x_refsource_FEDORA
	http://www.openwall.com/lists/oss-security/2021/10/15/3	mailing-list, x_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2021/10/16/1	mailing-list, x_refsource_MLIST
	https://www.oracle.com/security-alerts/cpujan2022.html	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20211029-0009/	x_refsource_CONFIRM
	http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html	x_refsource_MISC
	http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html	x_refsource_MISC
	http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html	x_refsource_MISC
	http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html	x_refsource_MISC
	http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-CVE-2021-42013-Exploitation.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
	http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-Execution.html	x_refsource_MISC
	https://www.povilaika.com/apache-2-4-50-exploit/	x_refsource_MISC
	https://security.gentoo.org/glsa/202208-20	vendor-advisory, x_refsource_GENTOO

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache HTTP Server	Version: Apache HTTP Server 2.4.49 Version: Apache HTTP Server 2.4.50

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T03:22:25.641Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://httpd.apache.org/security/vulnerabilities_24.html",
               },
               {
                  name: "[announce] 20211007 CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E",
               },
               {
                  name: "[httpd-users] 20211007 [users@httpd] CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E",
               },
               {
                  name: "[oss-security] 20211007 CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2021/10/07/6",
               },
               {
                  name: "20211007 Apache HTTP Server Vulnerabilties: October 2021",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_CISCO",
                     "x_transferred",
                  ],
                  url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ",
               },
               {
                  name: "JVN#51106450",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_JVN",
                     "x_transferred",
                  ],
                  url: "http://jvn.jp/en/jp/JVN51106450/index.html",
               },
               {
                  name: "[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2021/10/08/1",
               },
               {
                  name: "[httpd-cvs] 20211008 [httpd-site] branch main updated: * Align with CVE-2021-42013 based on the latest findings",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E",
               },
               {
                  name: "[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2021/10/08/2",
               },
               {
                  name: "[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2021/10/08/3",
               },
               {
                  name: "[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2021/10/08/4",
               },
               {
                  name: "[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2021/10/08/6",
               },
               {
                  name: "[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2021/10/08/5",
               },
               {
                  name: "[oss-security] 20211009 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2021/10/09/1",
               },
               {
                  name: "[oss-security] 20211011 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2021/10/11/4",
               },
               {
                  name: "FEDORA-2021-2a10bc68a4",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/",
               },
               {
                  name: "FEDORA-2021-aaf90ef84a",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/",
               },
               {
                  name: "[oss-security] 20211015 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2021/10/15/3",
               },
               {
                  name: "[oss-security] 20211016 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2021/10/16/1",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujan2022.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://security.netapp.com/advisory/ntap-20211029-0009/",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-CVE-2021-42013-Exploitation.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuapr2022.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-Execution.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.povilaika.com/apache-2-4-50-exploit/",
               },
               {
                  name: "GLSA-202208-20",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202208-20",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  cvssV3_1: {
                     attackComplexity: "LOW",
                     attackVector: "NETWORK",
                     availabilityImpact: "HIGH",
                     baseScore: 9.8,
                     baseSeverity: "CRITICAL",
                     confidentialityImpact: "HIGH",
                     integrityImpact: "HIGH",
                     privilegesRequired: "NONE",
                     scope: "UNCHANGED",
                     userInteraction: "NONE",
                     vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                     version: "3.1",
                  },
               },
               {
                  other: {
                     content: {
                        id: "CVE-2021-42013",
                        options: [
                           {
                              Exploitation: "active",
                           },
                           {
                              Automatable: "yes",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-02-04T14:28:39.366525Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
               {
                  other: {
                     content: {
                        dateAdded: "2021-11-03",
                        reference: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2021-42013",
                     },
                     type: "kev",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-02-04T14:29:01.508Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "Apache HTTP Server",
               vendor: "Apache Software Foundation",
               versions: [
                  {
                     status: "affected",
                     version: "Apache HTTP Server 2.4.49",
                  },
                  {
                     status: "affected",
                     version: "Apache HTTP Server 2.4.50",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               value: "Reported by Juan Escobar from Dreamlab Technologies, Fernando Muñoz from NULL Life CTF Team, and Shungo Kumasaka",
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     other: "critical",
                  },
                  type: "unknown",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-22",
                     description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-08-14T01:06:15.000Z",
            orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            shortName: "apache",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://httpd.apache.org/security/vulnerabilities_24.html",
            },
            {
               name: "[announce] 20211007 CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E",
            },
            {
               name: "[httpd-users] 20211007 [users@httpd] CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E",
            },
            {
               name: "[oss-security] 20211007 CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2021/10/07/6",
            },
            {
               name: "20211007 Apache HTTP Server Vulnerabilties: October 2021",
               tags: [
                  "vendor-advisory",
                  "x_refsource_CISCO",
               ],
               url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ",
            },
            {
               name: "JVN#51106450",
               tags: [
                  "third-party-advisory",
                  "x_refsource_JVN",
               ],
               url: "http://jvn.jp/en/jp/JVN51106450/index.html",
            },
            {
               name: "[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2021/10/08/1",
            },
            {
               name: "[httpd-cvs] 20211008 [httpd-site] branch main updated: * Align with CVE-2021-42013 based on the latest findings",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E",
            },
            {
               name: "[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2021/10/08/2",
            },
            {
               name: "[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2021/10/08/3",
            },
            {
               name: "[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2021/10/08/4",
            },
            {
               name: "[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2021/10/08/6",
            },
            {
               name: "[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2021/10/08/5",
            },
            {
               name: "[oss-security] 20211009 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2021/10/09/1",
            },
            {
               name: "[oss-security] 20211011 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2021/10/11/4",
            },
            {
               name: "FEDORA-2021-2a10bc68a4",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/",
            },
            {
               name: "FEDORA-2021-aaf90ef84a",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/",
            },
            {
               name: "[oss-security] 20211015 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2021/10/15/3",
            },
            {
               name: "[oss-security] 20211016 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2021/10/16/1",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpujan2022.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://security.netapp.com/advisory/ntap-20211029-0009/",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-CVE-2021-42013-Exploitation.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpuapr2022.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-Execution.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.povilaika.com/apache-2-4-50-exploit/",
            },
            {
               name: "GLSA-202208-20",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "https://security.gentoo.org/glsa/202208-20",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         timeline: [
            {
               lang: "en",
               time: "2021-10-06T00:00:00",
               value: "reported",
            },
         ],
         title: "Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
         x_generator: {
            engine: "Vulnogram 0.0.9",
         },
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "security@apache.org",
               ID: "CVE-2021-42013",
               STATE: "PUBLIC",
               TITLE: "Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "Apache HTTP Server",
                                 version: {
                                    version_data: [
                                       {
                                          version_affected: "=",
                                          version_name: "Apache HTTP Server",
                                          version_value: "2.4.49",
                                       },
                                       {
                                          version_affected: "=",
                                          version_name: "Apache HTTP Server",
                                          version_value: "2.4.50",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "Apache Software Foundation",
                     },
                  ],
               },
            },
            credit: [
               {
                  lang: "eng",
                  value: "Reported by Juan Escobar from Dreamlab Technologies, Fernando Muñoz from NULL Life CTF Team, and Shungo Kumasaka",
               },
            ],
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.",
                  },
               ],
            },
            generator: {
               engine: "Vulnogram 0.0.9",
            },
            impact: [
               {
                  other: "critical",
               },
            ],
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://httpd.apache.org/security/vulnerabilities_24.html",
                     refsource: "MISC",
                     url: "https://httpd.apache.org/security/vulnerabilities_24.html",
                  },
                  {
                     name: "[announce] 20211007 CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                     refsource: "MLIST",
                     url: "https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837@%3Cannounce.apache.org%3E",
                  },
                  {
                     name: "[httpd-users] 20211007 [users@httpd] CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                     refsource: "MLIST",
                     url: "https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb@%3Cusers.httpd.apache.org%3E",
                  },
                  {
                     name: "[oss-security] 20211007 CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2021/10/07/6",
                  },
                  {
                     name: "20211007 Apache HTTP Server Vulnerabilties: October 2021",
                     refsource: "CISCO",
                     url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ",
                  },
                  {
                     name: "JVN#51106450",
                     refsource: "JVN",
                     url: "http://jvn.jp/en/jp/JVN51106450/index.html",
                  },
                  {
                     name: "[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2021/10/08/1",
                  },
                  {
                     name: "[httpd-cvs] 20211008 [httpd-site] branch main updated: * Align with CVE-2021-42013 based on the latest findings",
                     refsource: "MLIST",
                     url: "https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3@%3Ccvs.httpd.apache.org%3E",
                  },
                  {
                     name: "[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2021/10/08/2",
                  },
                  {
                     name: "[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2021/10/08/3",
                  },
                  {
                     name: "[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2021/10/08/4",
                  },
                  {
                     name: "[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2021/10/08/6",
                  },
                  {
                     name: "[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2021/10/08/5",
                  },
                  {
                     name: "[oss-security] 20211009 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2021/10/09/1",
                  },
                  {
                     name: "[oss-security] 20211011 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2021/10/11/4",
                  },
                  {
                     name: "FEDORA-2021-2a10bc68a4",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/",
                  },
                  {
                     name: "FEDORA-2021-aaf90ef84a",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/",
                  },
                  {
                     name: "[oss-security] 20211015 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2021/10/15/3",
                  },
                  {
                     name: "[oss-security] 20211016 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2021/10/16/1",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpujan2022.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpujan2022.html",
                  },
                  {
                     name: "https://security.netapp.com/advisory/ntap-20211029-0009/",
                     refsource: "CONFIRM",
                     url: "https://security.netapp.com/advisory/ntap-20211029-0009/",
                  },
                  {
                     name: "http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html",
                     refsource: "MISC",
                     url: "http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html",
                  },
                  {
                     name: "http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html",
                     refsource: "MISC",
                     url: "http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html",
                  },
                  {
                     name: "http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html",
                     refsource: "MISC",
                     url: "http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html",
                  },
                  {
                     name: "http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html",
                     refsource: "MISC",
                     url: "http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html",
                  },
                  {
                     name: "http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-CVE-2021-42013-Exploitation.html",
                     refsource: "MISC",
                     url: "http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-CVE-2021-42013-Exploitation.html",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpuapr2022.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  },
                  {
                     name: "http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-Execution.html",
                     refsource: "MISC",
                     url: "http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-Execution.html",
                  },
                  {
                     name: "https://www.povilaika.com/apache-2-4-50-exploit/",
                     refsource: "MISC",
                     url: "https://www.povilaika.com/apache-2-4-50-exploit/",
                  },
                  {
                     name: "GLSA-202208-20",
                     refsource: "GENTOO",
                     url: "https://security.gentoo.org/glsa/202208-20",
                  },
               ],
            },
            source: {
               discovery: "UNKNOWN",
            },
            timeline: [
               {
                  lang: "en",
                  time: "2021-10-06T00:00:00",
                  value: "reported",
               },
            ],
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
      assignerShortName: "apache",
      cveId: "CVE-2021-42013",
      datePublished: "2021-10-07T15:50:14.000Z",
      dateReserved: "2021-10-06T00:00:00.000Z",
      dateUpdated: "2025-02-04T14:29:01.508Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted