{"id":"CVE-2021-42013","details":"It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.","aliases":["BIT-apache-2021-42013"],"modified":"2026-04-11T12:38:10.590433Z","published":"2021-10-07T16:15:09.270Z","related":["MGASA-2021-0470","openSUSE-SU-2024:11560-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"17.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"17.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"17.3"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*"},{"extracted_events":[{"fixed":"9.2.6.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*"},{"extracted_events":[{"fixed":"18.1.0.1.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:secure_backup:*:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"34"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"35"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*"}]},"references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-42013"},{"type":"ADVISORY","url":"http://jvn.jp/en/jp/JVN51106450/index.html"},{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-CVE-2021-42013-Exploitation.html"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/10/07/6"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/10/08/1"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/10/08/2"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/10/08/3"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/10/08/4"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/10/08/5"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/10/08/6"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/10/09/1"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/10/11/4"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/10/15/3"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/10/16/1"},{"type":"ADVISORY","url":"https://httpd.apache.org/security/vulnerabilities_24.html"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202208-20"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20211029-0009/"},{"type":"ADVISORY","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ"},{"type":"FIX","url":"https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-Execution.html"},{"type":"EVIDENCE","url":"https://www.povilaika.com/apache-2-4-50-exploit/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/httpd","events":[{"introduced":"0"},{"last_affected":"bbacd798d1494b5a99f4e3edab068ccc77b03b7e"},{"last_affected":"64390481929c527d3fc80051e0213c842437659c"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"2.4.49"},{"last_affected":"2.4.50"}],"source":"CPE_FIELD","cpe":["cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.4.50:*:*:*:*:*:*:*"]}}],"versions":["2.4.50","candidate-2.4.49","candidate-2.4.50-rc1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-42013.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}