Vulnerability Details : CVE-2021-41773
Public exploit exists!
Used for ransomware!
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
Vulnerability category: Directory traversalExecute code
Products affected by CVE-2021-41773
- cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
Threat overview for CVE-2021-41773
Top countries where our scanners detected CVE-2021-41773
Top open port discovered on systems with this issue
80
IPs affected by CVE-2021-41773 5,963
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2021-41773!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
CVE-2021-41773 is in the CISA Known Exploited Vulnerabilities Catalog
This issue is known to have been leveraged as part of a ransomware campaign.
CISA vulnerability name:
Apache HTTP Server Path Traversal Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under default �require all denied� or if CGI scripts are enabled. The original patch issued under this CVE ID i
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2021-41773
Added on
2021-11-03
Action due date
2021-11-17
Exploit prediction scoring system (EPSS) score for CVE-2021-41773
97.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2021-41773
-
Apache 2.4.49/2.4.50 Traversal RCE scanner
Disclosure Date: 2021-05-10First seen: 2022-12-23auxiliary/scanner/http/apache_normalize_path -
Apache 2.4.49/2.4.50 Traversal RCE
Disclosure Date: 2021-05-10First seen: 2022-12-23exploit/multi/http/apache_normalize_path_rce
CVSS scores for CVE-2021-41773
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-02-04 |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-41773
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by:
- nvd@nist.gov (Primary)
- security@apache.org (Secondary)
References for CVE-2021-41773
-
http://www.openwall.com/lists/oss-security/2021/10/15/3
oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)Mailing List;Patch;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2021/10/08/2
oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)Mailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/
[SECURITY] Fedora 34 Update: httpd-2.4.51-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2021/10/16/1
oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)Mailing List;Third Party Advisory
-
http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
Apache HTTP Server 2.4.50 Remote Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E
CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) -Apache Mail ArchivesMailing List
-
http://www.openwall.com/lists/oss-security/2021/10/08/6
Mailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2021/10/08/3
oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)Exploit;Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r98d704ed4377ed889d40479db79ed1ee2f43b2ebdd79ce84b042df45%40%3Cannounce.apache.org%3E
CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 -Apache Mail ArchivesMailing List
-
https://httpd.apache.org/security/vulnerabilities_24.html
httpd 2.4 vulnerabilities - The Apache HTTP Server ProjectRelease Notes;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpujan2022.html
Oracle Critical Patch Update Advisory - January 2022Patch;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20211029-0009/
October 2021 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837@%3Cannounce.apache.org%3E
CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) - Pony MailMailing List;Vendor Advisory
-
https://security.gentoo.org/glsa/202208-20
Apache HTTPD: Multiple Vulnerabilities (GLSA 202208-20) — Gentoo securityThird Party Advisory
-
https://lists.apache.org/thread.html/r98d704ed4377ed889d40479db79ed1ee2f43b2ebdd79ce84b042df45@%3Cannounce.apache.org%3E
CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 - Pony MailMailing List;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/
[SECURITY] Fedora 35 Update: httpd-2.4.51-2.fc35 - package-announce - Fedora Mailing-ListsRelease Notes
-
https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3@%3Ccvs.httpd.apache.org%3E
[httpd-site] branch main updated: * Align with CVE-2021-42013 based on the latest findings - Pony MailMailing List;Patch;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2021/10/07/1
oss-security - RE: CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49Mailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2021/10/05/2
oss-security - CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49Mailing List;Third Party Advisory
-
http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal-Remote-Code-Execution.html
Apache HTTP Server 2.4.49 Path Traversal / Remote Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
http://www.openwall.com/lists/oss-security/2021/10/08/1
oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)Exploit;Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r6abf5f2ba6f1aa8b1030f95367aaf17660c4e4c78cb2338aee18982f%40%3Cusers.httpd.apache.org%3E
[users@httpd] CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 -Apache Mail ArchivesMailing List
-
http://www.openwall.com/lists/oss-security/2021/10/09/1
Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r6abf5f2ba6f1aa8b1030f95367aaf17660c4e4c78cb2338aee18982f@%3Cusers.httpd.apache.org%3E
[users@httpd] CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb@%3Cusers.httpd.apache.org%3E
[users@httpd] CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) - Pony MailMailing List;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/
[SECURITY] Fedora 35 Update: httpd-2.4.51-2.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html
Apache 2.4.49 / 2.4.50 Traversal / Remote Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E
[users@httpd] CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) -Apache Mail ArchivesMailing List
-
http://www.openwall.com/lists/oss-security/2021/10/08/5
Mailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2021/10/08/4
oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E
[httpd-site] branch main updated: * Align with CVE-2021-42013 based on the latest findings-Apache Mail ArchivesMailing List;Patch
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/
[SECURITY] Fedora 34 Update: httpd-2.4.51-1.fc34 - package-announce - Fedora Mailing-ListsRelease Notes
-
http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal.html
Apache HTTP Server 2.4.49 Path Traversal ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
http://www.openwall.com/lists/oss-security/2021/10/07/6
oss-security - CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)Mailing List;Third Party Advisory
-
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ
Apache HTTP Server Vulnerabilties: October 2021Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2021/10/11/4
oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)Mailing List;Patch;Third Party Advisory
Jump to