← Back

CVE-2021-42013

nvd nistnuclei
Published: Oct 7, 2021Modified: Oct 27, 2025CISA KEV

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

Affected (10)

Show all products
Apache: Http Server · Fedoraproject: Fedora · Oracle: Instantis Enterprisetrack, Jd Edwards Enterpriseone Tools, Secure Backup · Netapp: Cloud Backup
Apache
1 product
Http Server
Fedoraproject
1 product
Fedora
Oracle
3 products
Instantis Enterprisetrack
Jd Edwards Enterpriseone Tools
Secure Backup
Netapp
1 product
Cloud Backup
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Apache
Http Server
Version 2.4.49
Http Server
Version 2.4.50
Configuration B
2 vulnerable
Vulnerable SoftwareAffected Versions
Fedoraproject
Fedora
Version 34
Fedora
Version 35
Configuration C
5 vulnerable
Vulnerable SoftwareAffected Versions
Oracle
Instantis Enterprisetrack
Version 17.1
Instantis Enterprisetrack
Version 17.2
Instantis Enterprisetrack
Version 17.3
Jd Edwards Enterpriseone Tools
Before 9.2.6.0
Secure Backup
Before 18.1.0.1.0
Configuration D
1 vulnerable
Vulnerable SoftwareAffected Versions
Cloud Backup
All versions

Related CWEs

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (61)

Source: security@apache.org
Third Party Advisory
Source: security@apache.org
ExploitThird Party AdvisoryVDB Entry
Source: security@apache.org
ExploitThird Party AdvisoryVDB Entry
Source: security@apache.org
ExploitThird Party AdvisoryVDB Entry
Source: security@apache.org
ExploitThird Party AdvisoryVDB Entry
Source: security@apache.org
Third Party AdvisoryVDB Entry
Source: security@apache.org
ExploitThird Party AdvisoryVDB Entry
Source: security@apache.org
Mailing ListThird Party Advisory
Source: security@apache.org
Mailing ListThird Party Advisory
Source: security@apache.org
Mailing ListThird Party Advisory
Source: security@apache.org
Mailing ListThird Party Advisory
Source: security@apache.org
Mailing ListThird Party Advisory
Source: security@apache.org
Mailing ListThird Party Advisory
Source: security@apache.org
Mailing ListThird Party Advisory
Source: security@apache.org
Mailing ListThird Party Advisory
Source: security@apache.org
Mailing ListThird Party Advisory
Source: security@apache.org
Mailing ListThird Party Advisory
Source: security@apache.org
Mailing ListThird Party Advisory
Source: security@apache.org
Release NotesVendor Advisory
Source: security@apache.org
Mailing ListPatch
Source: security@apache.org
Mailing List
Source: security@apache.org
Mailing List
Source: security@apache.org
Release Notes
Source: security@apache.org
Release Notes
Source: security@apache.org
Third Party Advisory
Source: security@apache.org
Third Party Advisory
Source: security@apache.org
Third Party Advisory
Source: security@apache.org
PatchThird Party Advisory
Source: security@apache.org
PatchThird Party Advisory
Source: security@apache.org
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Release NotesVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListPatch
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List
Source: af854a3a-2127-422b-91ae-364da2661108
Release Notes
Source: af854a3a-2127-422b-91ae-364da2661108
Release Notes
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
US Government Resource

Timeline

No history available yet.