CVE-2021-41773

Apache HTTP Server Path Traversal Vulnerability

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

140

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

Se ha encontrado un fallo en un cambio realizado en la normalización de rutas en Apache HTTP Server 2.4.49. Un atacante podría utilizar un ataque de recorrido para asignar URLs a archivos fuera de los directorios configurados por las directivas tipo Alias. Si los archivos fuera de estos directorios no están protegidos por la configuración habitual por defecto "require all denied", estas peticiones pueden tener éxito. Si los scripts CGI también están habilitados para estas rutas alias, esto podría permitir la ejecución remota de código. Se sabe que este problema ha sido explotado en la naturaleza. Este problema sólo afecta a Apache 2.4.49 y no a versiones anteriores. La corrección en Apache HTTP Server 2.4.50 es incompleta, véase CVE-2021-42013

Multiple vulnerabilities have been discovered in Apache Webserver, the worst of which could result in remote code execution. Versions less than 2.4.54 are affected.

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under default �require all denied� or if CGI scripts are enabled. The original patch issued under this CVE ID is insufficient, please review remediation information under CVE-2021-42013.

*Credits: This issue was reported by Ash Daulton along with the cPanel Security Team

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2021-09-29 CVE Reserved
2021-10-05 CVE Published
2021-10-05 First Exploit
2021-11-03 Exploited in Wild
2021-11-17 KEV Due Date
2025-02-04 CVE Updated
2025-07-18 EPSS Updated

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (167)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2021/10/05/2	Mailing List
http://www.openwall.com/lists/oss-security/2021/10/07/1	Mailing List
http://www.openwall.com/lists/oss-security/2021/10/07/6	Mailing List
http://www.openwall.com/lists/oss-security/2021/10/08/2	Mailing List
http://www.openwall.com/lists/oss-security/2021/10/08/4	Mailing List
http://www.openwall.com/lists/oss-security/2021/10/08/5	Mailing List
http://www.openwall.com/lists/oss-security/2021/10/08/6	Mailing List
http://www.openwall.com/lists/oss-security/2021/10/09/1	Mailing List
http://www.openwall.com/lists/oss-security/2021/10/16/1	Mailing List
https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r6abf5f2ba6f1aa8b1030f95367aaf17660c4e4c78cb2338aee18982f%40%3Cusers.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r98d704ed4377ed889d40479db79ed1ee2f43b2ebdd79ce84b042df45%40%3Cannounce.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E	Mailing List
https://security.netapp.com/advisory/ntap-20211029-0009	Third Party Advisory
https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse
https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml
https://github.com/projectdiscovery/nuclei-templates/commit/9384dd235ec5107f423d930ac80055f2ce2bff74
https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis

URL	Date	SRC
https://packetstorm.news/files/id/181114	2024-09-01
https://packetstorm.news/files/id/164418	2021-10-06
https://packetstorm.news/files/id/164941	2021-11-11
https://packetstorm.news/files/id/164629	2021-10-25
https://www.exploit-db.com/exploits/50512	2022-04-19
https://www.exploit-db.com/exploits/50383	2022-02-11
https://github.com/blasty/CVE-2021-41773	2021-10-07
https://github.com/thehackersbrain/CVE-2021-41773	2022-03-12
https://github.com/iilegacyyii/PoC-CVE-2021-41773	2021-11-24
https://github.com/lorddemon/CVE-2021-41773-PoC	2021-10-06
https://github.com/0xRar/CVE-2021-41773	2021-10-08
https://github.com/ZephrFish/CVE-2021-41773-PoC	2021-10-06
https://github.com/itsecurityco/CVE-2021-41773	2022-10-07
https://github.com/BlueTeamSteve/CVE-2021-41773	2021-10-06
https://github.com/j4k0m/CVE-2021-41773	2021-10-05
https://github.com/zeronine9/CVE-2021-41773	2021-10-08
https://github.com/creadpag/CVE-2021-41773-POC	2022-12-28
https://github.com/knqyf263/CVE-2021-41773	2021-10-06
https://github.com/numanturle/CVE-2021-41773	2021-10-05
https://github.com/1nhann/CVE-2021-41773	2021-10-08
https://github.com/jbovet/CVE-2021-41773	2021-10-06
https://github.com/habibiefaried/CVE-2021-41773-PoC	2021-10-06
https://github.com/TishcaTpx/POC-CVE-2021-41773	2021-10-05
https://github.com/jheeree/Simple-CVE-2021-41773-checker	2021-10-12
https://github.com/orangmuda/CVE-2021-41773	2021-10-07
https://github.com/LudovicPatho/CVE-2021-41773	2022-10-26
https://github.com/pirenga/CVE-2021-41773	2021-11-11
https://github.com/noflowpls/CVE-2021-41773	2022-11-15
https://github.com/Sakura-nee/CVE-2021-41773	2021-10-07
https://github.com/shellreaper/CVE-2021-41773	2021-11-12
https://github.com/mr-exo/CVE-2021-41773	2021-10-26
https://github.com/aqiao-jashell/CVE-2021-41773	2023-05-25
https://github.com/aqiao-jashell/py-CVE-2021-41773	2023-05-25
https://github.com/belajarqywok/CVE-2021-41773-MSF	2023-08-11
https://github.com/n3k00n3/CVE-2021-41773	2021-10-08
https://github.com/corelight/CVE-2021-41773	2021-10-28
https://github.com/ranggaggngntt/CVE-2021-41773	2022-06-11
https://github.com/mauricelambert/CVE-2021-41773	2022-03-14
https://github.com/Vulnmachines/cve-2021-41773	2024-09-03
https://github.com/masahiro331/CVE-2021-41773	2024-08-12
https://github.com/Ls4ss/CVE-2021-41773_CVE-2021-42013	2024-08-12
https://github.com/TAI-REx/cve-2021-41773-nse	2021-11-26
https://github.com/PentesterGuruji/CVE-2021-41773	2024-08-12
https://github.com/mohwahyudi/cve-2021-41773	2024-08-12
https://github.com/Zeop-CyberSec/apache_normalize_path	2024-08-12
https://github.com/r00tVen0m/CVE-2021-41773	2024-08-12
https://github.com/fnatalucci/CVE-2021-41773-RCE	2024-08-12
https://github.com/AssassinUKG/CVE-2021-41773	2024-08-12
https://github.com/HightechSec/scarce-apache2	2024-09-16
https://github.com/vinhjaxt/CVE-2021-41773-exploit	2024-08-12
https://github.com/sixpacksecurity/CVE-2021-41773	2021-10-07
https://github.com/Hattan515/POC-CVE-2021-41773	2024-08-21
https://github.com/twseptian/cve-2021-41773	2024-09-26
https://github.com/McSl0vv/CVE-2021-41773	2021-10-07
https://github.com/shiomiyan/CVE-2021-41773	2021-10-15
https://github.com/justakazh/mass_cve-2021-41773	2024-08-12
https://github.com/pisut4152/Sigma-Rule-for-CVE-2021-41773-and-CVE-2021-42013-exploitation-attempt	2024-08-12
https://github.com/b1tsec/CVE-2021-41773	2024-08-12
https://github.com/superzerosec/CVE-2021-41773	2024-08-12
https://github.com/im-hanzou/apachrot	2024-10-25
https://github.com/inbug-team/CVE-2021-41773_CVE-2021-42013	2024-12-04
https://github.com/5gstudent/cve-2021-41773-and-cve-2021-42013	2024-09-15
https://github.com/EagleTube/CVE-2021-41773	2024-08-12
https://github.com/apapedulimu/Apachuk	2024-08-12
https://github.com/scarmandef/CVE-2021-41773	2021-10-14
https://github.com/ksanchezcld/httpd-2.4.49	2023-04-29
https://github.com/MrCl0wnLab/SimplesApachePathTraversal	2024-08-28
https://github.com/theLSA/apache-httpd-path-traversal-checker	2023-03-19
https://github.com/lopqto/CVE-2021-41773_Honeypot	2024-03-02
https://github.com/zerodaywolf/CVE-2021-41773_42013	2024-09-26
https://github.com/LayarKacaSiber/CVE-2021-41773	2021-10-23
https://github.com/BabyTeam1024/CVE-2021-41773	2024-08-12
https://github.com/walnutsecurity/cve-2021-41773	2024-08-25
https://github.com/TheLastVvV/CVE-2021-41773	2021-10-23
https://github.com/MazX0p/CVE-2021-41773	2022-07-01
https://github.com/vida003/Scanner-CVE-2021-41773	2021-10-25
https://github.com/wolf1892/CVE-2021-41773	2021-10-29
https://github.com/Hydragyrum/CVE-2021-41773-Playground	2024-11-16
https://github.com/IcmpOff/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution-Exploit	2024-10-17
https://github.com/kubota/POC-CVE-2021-41773	2021-11-16
https://github.com/xMohamed0/CVE-2021-41773	2021-11-14
https://github.com/i6c/MASS_CVE-2021-41773	2024-11-10
https://github.com/m96dg/CVE-2021-41773-exercise	2022-01-26
https://github.com/skentagon/CVE-2021-41773	2024-10-28
https://github.com/the29a/CVE-2021-41773	2022-03-11
https://github.com/honypot/CVE-2021-41773	2022-03-14
https://github.com/Fa1c0n35/CVE-2021-41773	2022-03-14
https://github.com/puckiestyle/CVE-2021-41773	2022-03-28
https://github.com/zer0qs/CVE-2021-41773	2022-03-30
https://github.com/DoTuan1/Reserch-CVE-2021-41773	2022-03-31
https://github.com/bernardas/netsec-polygon	2022-04-03
https://github.com/CalfCrusher/Path-traversal-RCE-Apache-2.4.49-2.4.50-Exploit	2024-08-21
https://github.com/vuongnv3389-sec/cve-2021-41773	2022-04-06
https://github.com/Chocapikk/CVE-2021-41773	2024-08-12
https://github.com/wangfly-me/Apache_Penetration_Tool	2024-09-05
https://github.com/anldori/CVE-2021-41773-Scanner	2022-05-12
https://github.com/iosifache/ApacheRCEEssay	2023-02-14
https://github.com/Habib0x0/CVE-2021-41773	2024-02-20
https://github.com/pwn3z/CVE-2021-41773-Apache-RCE	2022-06-17
https://github.com/EkamSinghWalia/Mitigation-Apache-CVE-2021-41773-	2022-07-22
https://github.com/Plunder283/CVE-2021-41773	2022-08-04
https://github.com/mightysai1997/cve-2021-41773	2022-09-15
https://github.com/dileepdkumar/LayarKacaSiber-CVE-2021-41773	2022-09-20
https://github.com/12345qwert123456/CVE-2021-41773	2022-11-21
https://github.com/blackn0te/Apache-HTTP-Server-2.4.49-2.4.50-Path-Traversal-Remote-Code-Execution	2024-10-21
https://github.com/TheKernelPanic/exploit-apache2-cve-2021-41773	2024-07-27
https://github.com/retrymp3/apache2.4.49VulnerableLabSetup	2023-02-17
https://github.com/MatanelGordon/docker-cve-2021-41773	2023-04-27
https://github.com/0xGabe/Apache-CVEs	2023-06-04
https://github.com/OfriOuzan/CVE-2021-41773_CVE-2021-42013_Exploits	2023-11-10
https://github.com/Iris288/CVE-2021-41773	2023-11-20
https://github.com/Maybe4a6f7365/CVE-2021-41773	2024-06-03
https://github.com/Zyx2440/Apache-HTTP-Server-2.4.50-RCE	2024-08-27
https://github.com/0xc4t/CVE-2021-41773	2024-08-27
https://github.com/jkska23/Additive-Vulnerability-Analysis-CVE-2021-41773	2024-08-28
https://github.com/norrig/CVE-2021-41773-exploiter	2022-01-12
https://github.com/redspy-sec/CVE-2021-41773	2024-12-16
https://github.com/FakesiteSecurity/CVE-2021-41773	2025-01-03
https://github.com/Taldrid1/cve-2021-41773	2025-01-07
https://github.com/tiemio/SSH-key-and-RCE-PoC-for-CVE-2021-41773	2025-02-02
https://github.com/ch4os443/CVE-2021-41773	2021-10-14
https://github.com/Vanshuk-Bhagat/Apache-HTTP-Server-Vulnerabilities-CVE-2021-41773-and-CVE-2021-42013	2025-03-11
https://github.com/javaamo/CVE-2021-41773	2025-03-19
https://github.com/ashique-thaha/CVE-2021-41773-POC	2025-03-20
https://github.com/Soliux/CVE-2021-41773	2025-03-26
https://github.com/luongchivi/CVE-2021-41773	2025-03-28
https://github.com/khaidtraivch/CVE-2021-41773-Apache-2.4.49-	2025-04-14
https://github.com/JIYUN02/cve-2021-41773	2025-04-24
https://github.com/Ask-os/CVE-2021-41773	2025-05-28
https://github.com/RizqiSec/CVE-2021-41773	2021-10-07
https://github.com/CyberQuestor-infosec/CVE-2021-41773-Apache_2.4.49-Path-traversal-to-RCE	2025-06-12
https://github.com/psibot/apache-vulnerable	2025-07-01
https://github.com/blu3ming/PoC-CVE-2021-41773	2025-07-02
https://github.com/r0otk3r/CVE-2021-41773	2025-07-05
http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal-Remote-Code-Execution.html	2025-02-04
http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal.html	2025-02-04
http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html	2025-02-04
http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html	2025-02-04
http://www.openwall.com/lists/oss-security/2021/10/08/1	2025-02-04
http://www.openwall.com/lists/oss-security/2021/10/08/3	2025-02-04

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2021/10/11/4	2023-11-07
http://www.openwall.com/lists/oss-security/2021/10/15/3	2023-11-07
https://www.oracle.com/security-alerts/cpujan2022.html	2023-11-07

URL	Date	SRC
https://httpd.apache.org/security/vulnerabilities_24.html	2021-05-10
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3	2023-11-07
https://security.gentoo.org/glsa/202208-20	2023-11-07
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.49 Search vendor "Apache" for product "Http Server" and version "2.4.49"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected
Oracle Search vendor "Oracle"		Instantis Enterprisetrack Search vendor "Oracle" for product "Instantis Enterprisetrack"				17.1 Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.1"		-		Affected
Oracle Search vendor "Oracle"		Instantis Enterprisetrack Search vendor "Oracle" for product "Instantis Enterprisetrack"				17.2 Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.2"		-		Affected
Oracle Search vendor "Oracle"		Instantis Enterprisetrack Search vendor "Oracle" for product "Instantis Enterprisetrack"				17.3 Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.3"		-		Affected
Netapp Search vendor "Netapp"		Cloud Backup Search vendor "Netapp" for product "Cloud Backup"				-		-		Affected