CVE-2021-42013
CRITICALCISA KEVEPSS 100th pctlDescription
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploit Intelligence
Very high risk: more likely to be exploited than 100% of all known CVEs.
Apache HTTP Server Path Traversal Vulnerability
Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under default require all denied or if CGI scripts are enabled. This CVE ID resolves an incomplete patch for CVE-2021-41773.
Apply updates per vendor instructions.
Remediation due: 2021-11-17
Associated with ransomware campaigns
References
- http://jvn.jp/en/jp/JVN51106450/index.html
- http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html
- http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-CVE-2021-42013-Exploitation.html
- http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-Execution.html
- http://www.openwall.com/lists/oss-security/2021/10/07/6
- http://www.openwall.com/lists/oss-security/2021/10/08/1
- http://www.openwall.com/lists/oss-security/2021/10/08/2
- http://www.openwall.com/lists/oss-security/2021/10/08/3
- http://www.openwall.com/lists/oss-security/2021/10/08/4
- http://www.openwall.com/lists/oss-security/2021/10/08/5
- http://www.openwall.com/lists/oss-security/2021/10/08/6
- http://www.openwall.com/lists/oss-security/2021/10/09/1
- http://www.openwall.com/lists/oss-security/2021/10/11/4
- http://www.openwall.com/lists/oss-security/2021/10/15/3
- http://www.openwall.com/lists/oss-security/2021/10/16/1
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20211029-0009/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.povilaika.com/apache-2-4-50-exploit/
Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-10-27.