CVE-2021-41773

Warning

Exploit

EPSS 94.38%
Published 05.10.2021 09:15:07
Last modified 21.03.2025 21:07:31
Source security@apache.org
Teams watchlist Login
Open Login

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

Affected products Warnungen 2 Metrics 4 CWE 1 References 32

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ HTTP Server Version2.4.49

Fedoraproject ≫ Fedora Version34

Fedoraproject ≫ Fedora Version35

Oracle ≫ Instantis Enterprisetrack Version17.1

Oracle ≫ Instantis Enterprisetrack Version17.2

Oracle ≫ Instantis Enterprisetrack Version17.3

Netapp ≫ Cloud Backup Version-

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache HTTP Server Path Traversal Vulnerability

Vulnerability

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under default �require all denied� or if CGI scripts are enabled. The original patch issued under this CVE ID is insufficient, please review remediation information under CVE-2021-42013.

Description

Apply updates per vendor instructions.

Required actions

06.10.2021: CERT.at Warnung

https://www.cert.at/de/warnungen/2021/10/wichtige-sicherheitslucke-cve-2021-41773-in-apache-http-server-2449-updates-und-workarounds-verfugbar

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	94.38%	1

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://httpd.apache.org/security/vulnerabilities_24.html

Vendor Advisory

Release Notes

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://security.gentoo.org/glsa/202208-20

Third Party Advisory

https://security.netapp.com/advisory/ntap-20211029-0009/

Third Party Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ

Third Party Advisory