CVE-2021-42013
Summary
| CVE | CVE-2021-42013 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-10-07 16:15:00 UTC |
| Updated | 2023-11-07 03:39:00 UTC |
| Description | It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions. |
Risk And Classification
EPSS: 0.944100000 probability, percentile 0.999780000 (date 2026-04-16)
CISA KEV: Listed on 2021-11-03; due 2021-11-17; ransomware use Known
Problem Types: CWE-22 | NVD-CWE-Other
CISA Known Exploited Vulnerability
| Vendor | Apache |
|---|---|
| Product | HTTP Server |
| Name | Apache HTTP Server Path Traversal Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2021-42013 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Http Server | 2.4.49 | All | All | All |
| Application | Apache | Http Server | 2.4.50 | All | All | All |
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Application | Netapp | Cloud Backup | - | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.1 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.2 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.3 | All | All | All |
| Application | Oracle | Jd Edwards Enterpriseone Tools | All | All | All | All |
| Application | Oracle | Secure Backup | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 34 Update: httpd-2.4.51-1.fc34 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Apache HTTPD: Multiple Vulnerabilities (GLSA 202208-20) — Gentoo security | GENTOO | security.gentoo.org | |
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| [SECURITY] Fedora 34 Update: httpd-2.4.51-1.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Apache 2.4.50 Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| Apache HTTP Server 2.4.50 Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| JVN#51106450: Apache HTTP Server vulnerable to directory traversal | JVN | jvn.jp | |
| oss-security - CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| Apache HTTP Server Vulnerabilties: October 2021 | CISCO | tools.cisco.com | |
| [SECURITY] Fedora 35 Update: httpd-2.4.51-2.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| Oracle Critical Patch Update Advisory - April 2022 | MISC | www.oracle.com | |
| October 2021 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| [httpd-users] 20211007 [users@httpd] CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | lists.apache.org | ||
| [announce] 20211007 CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| [httpd-cvs] 20211008 [httpd-site] branch main updated: * Align with CVE-2021-42013 based on the latest findings | lists.apache.org | ||
| Apache HTTP Server 2.4.50 CVE-2021-42013 Exploitation ≈ Packet Storm | MISC | packetstormsecurity.com | |
| [SECURITY] Fedora 35 Update: httpd-2.4.51-2.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Oracle Critical Patch Update Advisory - January 2022 | MISC | www.oracle.com | |
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project | MISC | httpd.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Apache HTTP Server 2.4.50 Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| Apache 2.4.49 / 2.4.50 Traversal / Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| Using a CVE-2021-42013 Apache 2.4.50 exploit in the wild | MISC | www.povilaika.com | |
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| oss-security - Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | MLIST | www.openwall.com | |
| Apache HTTP Server 2.4.50 Path Traversal / Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
Vendor Comments And Credit
Discovery Credit
LEGACY: Reported by Juan Escobar from Dreamlab Technologies, Fernando Muñoz from NULL Life CTF Team, and Shungo Kumasaka
Legacy QID Mappings
- 150374 Apache HTTP Server Multiple Vulnerabilities (CVE-2021-42013)
- 184409 Debian Security Update for apache2 (CVE-2021-42013)
- 281975 Fedora Security Update for httpd (FEDORA-2021-2a10bc68a4)
- 352857 Amazon Linux Security Advisory for httpd24: ALAS-2021-1543
- 352858 Amazon Linux Security Advisory for httpd: ALAS2-2021-1716
- 500024 Alpine Linux Security Update for apache2
- 503715 Alpine Linux Security Update for apache2
- 690209 Free Berkeley Software Distribution (FreeBSD) Security Update for apache httpd (d001c189-2793-11ec-8fb1-206a8a720317)
- 710595 Gentoo Linux Apache HTTPD Multiple Vulnerabilities (GLSA 202208-20)
- 87466 Apache Hypertext Transfer Protocol (HTTP) Server Path Traversal Vulnerability