CVE-2021-41773

CRITICALImmediate

Published:Oct 5, 2021(4 years ago)

Modified:Feb 17, 2026

Remote ExploitNo Auth RequiredNo InteractionLow Complexity

Vulnerability Description

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

Attack Characteristics

Network AccessLow ComplexityNo Auth NeededNo User Interaction

🤖

AI analysis not yet available

Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.

No Fix Known

No patch has been released yet. Apply workarounds or mitigations where available.

Affected Software

Vendor	Product	Versions	Fixed In
apache	http_server	-	-
fedoraproject	fedora	-

Timeline

Published
CVE disclosed publicly
Oct 5, 20214 years ago
Last Modified
Most recent update
Feb 17, 20263 months ago
Indexed to CVEInsight
Added to this platform
Mar 29, 20261 month ago

References

http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-...Exploit
http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-...Exploit
http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Trave...Exploit

CVSS Score

v3.1

9.8/ 10.0

CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

At a Glance

Affected Products

References

apache / http_server

http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-...Exploit

http://www.openwall.com/lists/oss-security/2021/10/05/2Mailing List

http://www.openwall.com/lists/oss-security/2021/10/07/1Mailing List

http://www.openwall.com/lists/oss-security/2021/10/07/6Mailing List

http://www.openwall.com/lists/oss-security/2021/10/08/1Exploit

http://www.openwall.com/lists/oss-security/2021/10/08/2Mailing List

http://www.openwall.com/lists/oss-security/2021/10/08/3Exploit

http://www.openwall.com/lists/oss-security/2021/10/08/4Mailing List

http://www.openwall.com/lists/oss-security/2021/10/08/5Mailing List

http://www.openwall.com/lists/oss-security/2021/10/08/6Mailing List

http://www.openwall.com/lists/oss-security/2021/10/09/1Mailing List

http://www.openwall.com/lists/oss-security/2021/10/11/4Mailing List

http://www.openwall.com/lists/oss-security/2021/10/15/3Mailing List

http://www.openwall.com/lists/oss-security/2021/10/16/1Mailing List

https://httpd.apache.org/security/vulnerabilities_24.htmlRelease Notes

https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4...Mailing List

https://lists.apache.org/thread.html/r6abf5f2ba6f1aa8b1030f95367aaf176...Mailing List

https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0e...Mailing List

https://lists.apache.org/thread.html/r98d704ed4377ed889d40479db79ed1ee...Mailing List

https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb...Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists...Release Notes

https://security.gentoo.org/glsa/202208-20Third Party Advisory

https://security.netapp.com/advisory/ntap-20211029-0009/Third Party Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/...Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.htmlPatch

http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-...Exploit

http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Trave...Exploit