CVE-2021-42013 : It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was in

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

Published 2021-10-07 16:15:09

Updated 2025-02-04 15:15:13

Source Apache Software Foundation

View at NVD, CVE.org

Vulnerability category: Directory traversalExecute code

Products affected by CVE-2021-42013

Apache » Http Server » Version: 2.4.49
cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 2.4.50
cpe:2.3:a:apache:http_server:2.4.50:*:*:*:*:*:*:*
Matching versions
Oracle » Secure Backup
Versions before (<) 18.1.0.1.0
cpe:2.3:a:oracle:secure_backup:*:*:*:*:*:*:*:*
Matching versions
Oracle » Jd Edwards Enterpriseone Tools
Versions before (<) 9.2.6.0
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
Matching versions
Oracle » Instantis Enterprisetrack » Version: 17.1
cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
Matching versions
Oracle » Instantis Enterprisetrack » Version: 17.2
cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
Matching versions
Oracle » Instantis Enterprisetrack » Version: 17.3
cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions
Netapp » Cloud Backup » Version: N/A
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2021-42013

Top countries where our scanners detected CVE-2021-42013

Top open port discovered on systems with this issue 80

IPs affected by CVE-2021-42013 7,613

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2021-42013!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

CVE-2021-42013 is in the CISA Known Exploited Vulnerabilities Catalog

This issue is known to have been leveraged as part of a ransomware campaign.

CISA vulnerability name:

Apache HTTP Server Path Traversal Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under default require all denied or if CGI scripts are enabled. This CVE ID resolves an incomplete patch for CV

Notes:

https://nvd.nist.gov/vuln/detail/CVE-2021-42013

Added on 2021-11-03 Action due date 2021-11-17

Exploit prediction scoring system (EPSS) score for CVE-2021-42013

EPSS FAQ

94.43%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2021-42013

Apache 2.4.49/2.4.50 Traversal RCE scanner

Disclosure Date: 2021-05-10

First seen: 2022-12-23

auxiliary/scanner/http/apache_normalize_path

More information
Apache 2.4.49/2.4.50 Traversal RCE

Disclosure Date: 2021-05-10

First seen: 2022-12-23

exploit/multi/http/apache_normalize_path_rce

More information

CVSS scores for CVE-2021-42013

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-04
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-42013

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Assigned by:
- nvd@nist.gov (Primary)
- security@apache.org (Secondary)

References for CVE-2021-42013

http://jvn.jp/en/jp/JVN51106450/index.html

JVN#51106450: Apache HTTP Server vulnerable to directory traversal
Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/15/3

oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
Mailing List;Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2021/10/08/2

oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/

[SECURITY] Fedora 34 Update: httpd-2.4.51-1.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuapr2022.html

Oracle Critical Patch Update Advisory - April 2022
Patch;Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2021/10/16/1

oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
Mailing List;Third Party Advisory

CVEs referencing this url
http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html

Apache HTTP Server 2.4.50 Remote Code Execution ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry

CVEs referencing this url
https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E

CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) -Apache Mail Archives
Mailing List

CVEs referencing this url
https://www.povilaika.com/apache-2-4-50-exploit/

Using a CVE-2021-42013 Apache 2.4.50 exploit in the wild
Exploit;Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/08/6

Mailing List;Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2021/10/08/3

oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
Mailing List;Third Party Advisory

CVEs referencing this url
https://httpd.apache.org/security/vulnerabilities_24.html

httpd 2.4 vulnerabilities - The Apache HTTP Server Project
Release Notes;Vendor Advisory

CVEs referencing this url
http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-Execution.html

Apache 2.4.50 Remote Code Execution ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html

Apache HTTP Server 2.4.50 Remote Code Execution ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
https://www.oracle.com/security-alerts/cpujan2022.html

Oracle Critical Patch Update Advisory - January 2022
Patch;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20211029-0009/

October 2021 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837@%3Cannounce.apache.org%3E

CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) - Pony Mail
Mailing List

CVEs referencing this url
https://security.gentoo.org/glsa/202208-20

Apache HTTPD: Multiple Vulnerabilities (GLSA 202208-20) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/

[SECURITY] Fedora 35 Update: httpd-2.4.51-2.fc35 - package-announce - Fedora Mailing-Lists
Release Notes

CVEs referencing this url
https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3@%3Ccvs.httpd.apache.org%3E

[httpd-site] branch main updated: * Align with CVE-2021-42013 based on the latest findings - Pony Mail
Mailing List;Vendor Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2021/10/08/1

oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
Mailing List;Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2021/10/09/1

Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb@%3Cusers.httpd.apache.org%3E

[users@httpd] CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) - Pony Mail
Mailing List

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/

[SECURITY] Fedora 35 Update: httpd-2.4.51-2.fc35 - package-announce - Fedora Mailing-Lists
Mailing List

CVEs referencing this url
http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html

Apache 2.4.49 / 2.4.50 Traversal / Remote Code Execution ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry

CVEs referencing this url
https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E

[users@httpd] CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) -Apache Mail Archives
Mailing List

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2021/10/08/5

Mailing List;Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2021/10/08/4

oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
Mailing List;Third Party Advisory

CVEs referencing this url
http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-CVE-2021-42013-Exploitation.html

Apache HTTP Server 2.4.50 CVE-2021-42013 Exploitation ≈ Packet Storm
Third Party Advisory;VDB Entry
https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E

[httpd-site] branch main updated: * Align with CVE-2021-42013 based on the latest findings-Apache Mail Archives
Mailing List;Patch

CVEs referencing this url
http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html

Apache HTTP Server 2.4.50 Path Traversal / Code Execution ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/

[SECURITY] Fedora 34 Update: httpd-2.4.51-1.fc34 - package-announce - Fedora Mailing-Lists
Release Notes

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2021/10/07/6

oss-security - CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
Mailing List;Third Party Advisory

CVEs referencing this url
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ

Apache HTTP Server Vulnerabilties: October 2021
Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2021/10/11/4

oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
Mailing List;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-42013