CVE-2021-42013

CRITICALImmediate

Published:Oct 7, 2021(4 years ago)

Modified:Oct 27, 2025

Remote ExploitNo Auth RequiredNo InteractionLow Complexity

Vulnerability Description

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

Attack Characteristics

Network AccessLow ComplexityNo Auth NeededNo User Interaction

🤖

AI analysis not yet available

Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.

No Fix Known

No patch has been released yet. Apply workarounds or mitigations where available.

Affected Software

Vendor	Product	Versions	Fixed In
apache	http_server	-	-
apache	http_server	-	-
fedoraproject	fedora	-

Timeline

Published
CVE disclosed publicly
Oct 7, 20214 years ago
Last Modified
Most recent update
Oct 27, 20256 months ago
Indexed to CVEInsight
Added to this platform
Mar 29, 20261 month ago

References

http://www.openwall.com/lists/oss-security/2021/10/16/1Mailing List
http://jvn.jp/en/jp/JVN51106450/index.htmlThird Party Advisory
http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-...Exploit

CVSS Score

v3.1

9.8/ 10.0

CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

At a Glance

Affected Products

References

apache / http_server

http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-...Exploit

http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Trave...Exploit

http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-...Exploit

http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-...Third Party Advisory

http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-...Exploit

http://www.openwall.com/lists/oss-security/2021/10/07/6Mailing List

http://www.openwall.com/lists/oss-security/2021/10/08/1Mailing List

http://www.openwall.com/lists/oss-security/2021/10/08/2Mailing List

http://www.openwall.com/lists/oss-security/2021/10/08/3Mailing List

http://www.openwall.com/lists/oss-security/2021/10/08/4Mailing List

http://www.openwall.com/lists/oss-security/2021/10/08/5Mailing List

http://www.openwall.com/lists/oss-security/2021/10/08/6Mailing List

http://www.openwall.com/lists/oss-security/2021/10/09/1Mailing List

http://www.openwall.com/lists/oss-security/2021/10/11/4Mailing List

http://www.openwall.com/lists/oss-security/2021/10/15/3Mailing List

https://httpd.apache.org/security/vulnerabilities_24.htmlRelease Notes

https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4...Mailing List

https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0e...Mailing List

https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb...Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists...Release Notes

https://security.gentoo.org/glsa/202208-20Third Party Advisory

https://security.netapp.com/advisory/ntap-20211029-0009/Third Party Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/...Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch

https://www.oracle.com/security-alerts/cpujan2022.htmlPatch

https://www.povilaika.com/apache-2-4-50-exploit/Exploit

http://jvn.jp/en/jp/JVN51106450/index.htmlThird Party Advisory

http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-...Exploit