CVE-2021-42013

Warning

Exploit

EPSS 94.41%
Published 07.10.2021 16:15:09
Last modified 21.03.2025 21:02:08
Source security@apache.org
Teams watchlist Login
Open Login

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

Affected products Warnungen 2 Metrics 4 CWE 1 References 33

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ HTTP Server Version2.4.49

Apache ≫ HTTP Server Version2.4.50

Fedoraproject ≫ Fedora Version34

Fedoraproject ≫ Fedora Version35

Oracle ≫ Instantis Enterprisetrack Version17.1

Oracle ≫ Instantis Enterprisetrack Version17.2

Oracle ≫ Instantis Enterprisetrack Version17.3

Oracle ≫ Jd Edwards Enterpriseone Tools Version < 9.2.6.0

Oracle ≫ Secure Backup Version < 18.1.0.1.0

Netapp ≫ Cloud Backup Version-

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache HTTP Server Path Traversal Vulnerability

Vulnerability

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under default require all denied or if CGI scripts are enabled. This CVE ID resolves an incomplete patch for CVE-2021-41773.

Description

Apply updates per vendor instructions.

Required actions

06.10.2021: CERT.at Warnung

https://www.cert.at/de/warnungen/2021/10/wichtige-sicherheitslucke-cve-2021-41773-in-apache-http-server-2449-updates-und-workarounds-verfugbar

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	94.41%	1

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://httpd.apache.org/security/vulnerabilities_24.html

Vendor Advisory

Release Notes

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://security.gentoo.org/glsa/202208-20

Third Party Advisory

https://security.netapp.com/advisory/ntap-20211029-0009/