CVE-2021-41773
Summary
| CVE | CVE-2021-41773 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-10-05 09:15:00 UTC |
| Updated | 2023-11-07 03:39:00 UTC |
| Description | A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013. |
Risk And Classification
EPSS: 0.943910000 probability, percentile 0.999730000 (date 2026-04-16)
CISA KEV: Listed on 2021-11-03; due 2021-11-17; ransomware use Known
Problem Types: CWE-22
CISA Known Exploited Vulnerability
| Vendor | Apache |
|---|---|
| Product | HTTP Server |
| Name | Apache HTTP Server Path Traversal Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2021-41773 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Http Server | 2.4.49 | All | All | All |
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Application | Netapp | Cloud Backup | - | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.1 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.2 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.3 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 34 Update: httpd-2.4.51-1.fc34 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Apache HTTPD: Multiple Vulnerabilities (GLSA 202208-20) — Gentoo security | GENTOO | security.gentoo.org | |
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| [SECURITY] Fedora 34 Update: httpd-2.4.51-1.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| oss-security - CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| oss-security - RE: CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 | MLIST | www.openwall.com | |
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| Apache HTTP Server Vulnerabilties: October 2021 | CISCO | tools.cisco.com | |
| [httpd-users] 20211005 [users@httpd] CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 | lists.apache.org | ||
| [SECURITY] Fedora 35 Update: httpd-2.4.51-2.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| October 2021 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| [httpd-users] 20211007 [users@httpd] CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | lists.apache.org | ||
| [announce] 20211007 CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| [announce] 20211005 CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 | lists.apache.org | ||
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| [httpd-cvs] 20211008 [httpd-site] branch main updated: * Align with CVE-2021-42013 based on the latest findings | lists.apache.org | ||
| [SECURITY] Fedora 35 Update: httpd-2.4.51-2.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Oracle Critical Patch Update Advisory - January 2022 | MISC | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project | MISC | httpd.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Apache HTTP Server 2.4.50 Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| Apache 2.4.49 / 2.4.50 Traversal / Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| oss-security - CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 | MLIST | www.openwall.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| Apache HTTP Server 2.4.49 Path Traversal / Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| Apache HTTP Server 2.4.49 Path Traversal ≈ Packet Storm | MISC | packetstormsecurity.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
Vendor Comments And Credit
Discovery Credit
LEGACY: This issue was reported by Ash Daulton along with the cPanel Security Team
Legacy QID Mappings
- 150372 Apache HTTP Server Path Traversal (CVE-2021-41773)
- 150373 Apache HTTP Server Remote Code Execution (CVE-2021-41773)
- 182596 Debian Security Update for apache2 (CVE-2021-41773)
- 281975 Fedora Security Update for httpd (FEDORA-2021-2a10bc68a4)
- 352857 Amazon Linux Security Advisory for httpd24: ALAS-2021-1543
- 352858 Amazon Linux Security Advisory for httpd: ALAS2-2021-1716
- 500023 Alpine Linux Security Update for apache2
- 503714 Alpine Linux Security Update for apache2
- 690017 Free Berkeley Software Distribution (FreeBSD) Security Update for apache httpd (25b78bdd-25b8-11ec-a341-d4c9ef517024)
- 710595 Gentoo Linux Apache HTTPD Multiple Vulnerabilities (GLSA 202208-20)
- 87465 Apache Hypertext Transfer Protocol Server (HTTP Server) Path Traversal and Null Pointer Dereference Vulnerabilities
- 900395 Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (5962)