CVE-2021-42013 (CNNVD-202110-413)

CRITICAL 有利用代码
中文标题:
Apache HTTP Server 安全漏洞
英文标题:
Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
CVSS分数: 9.8
发布时间: 2021-10-07 15:50:14
漏洞类型: 其他
状态: PUBLISHED
数据质量分数: 0.30
数据版本: v6
漏洞描述
中文描述:

Apache HTTP Server是美国阿帕奇(Apache)基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点。 Apache HTTP Server 存在安全漏洞,该漏洞源于发现 Apache HTTP Server 2.4.50 版本中对 CVE-2021-41773 的修复不够充分。攻击者可以使用路径遍历攻击将 URL 映射到由类似别名的指令配置的目录之外的文件。如果这些目录之外的文件不受通常的默认配置“要求全部拒绝”的保护,则这些请求可能会成功。如果还为这些别名路径启用了 CGI 脚本,则可以允许远程代码执行。

英文描述:

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

CWE类型:
CWE-22
标签:
webapps multiple Lucas Souza ThelastVvV Valentin Lobstein
受影响产品
厂商 产品 版本 版本范围 平台 CPE
Apache Software Foundation Apache HTTP Server Apache HTTP Server 2.4.49 - - cpe:2.3:a:apache_software_foundation:apache_http_server:apache_http_server_2.4.49:*:*:*:*:*:*:*
Apache Software Foundation Apache HTTP Server Apache HTTP Server 2.4.50 - - cpe:2.3:a:apache_software_foundation:apache_http_server:apache_http_server_2.4.50:*:*:*:*:*:*:*
apache http_server 2.4.49 - - cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*
apache http_server 2.4.50 - - cpe:2.3:a:apache:http_server:2.4.50:*:*:*:*:*:*:*
fedoraproject fedora 34 - - cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
fedoraproject fedora 35 - - cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
oracle instantis_enterprisetrack 17.1 - - cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
oracle instantis_enterprisetrack 17.2 - - cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
oracle instantis_enterprisetrack 17.3 - - cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
oracle jd_edwards_enterpriseone_tools * - - cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
oracle secure_backup * - - cpe:2.3:a:oracle:secure_backup:*:*:*:*:*:*:*:*
netapp cloud_backup - - - cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
无标题 x_refsource_MISC
cve.org
访问
[announce] 20211007 CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) mailing-list
cve.org
访问
[httpd-users] 20211007 [users@httpd] CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) mailing-list
cve.org
访问
[oss-security] 20211007 CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) mailing-list
cve.org
访问
20211007 Apache HTTP Server Vulnerabilties: October 2021 vendor-advisory
cve.org
访问
JVN#51106450 third-party-advisory
cve.org
访问
[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) mailing-list
cve.org
访问
[httpd-cvs] 20211008 [httpd-site] branch main updated: * Align with CVE-2021-42013 based on the latest findings mailing-list
cve.org
访问
[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) mailing-list
cve.org
访问
[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) mailing-list
cve.org
访问
[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) mailing-list
cve.org
访问
[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) mailing-list
cve.org
访问
[oss-security] 20211008 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) mailing-list
cve.org
访问
[oss-security] 20211009 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) mailing-list
cve.org
访问
[oss-security] 20211011 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) mailing-list
cve.org
访问
FEDORA-2021-2a10bc68a4 vendor-advisory
cve.org
访问
FEDORA-2021-aaf90ef84a vendor-advisory
cve.org
访问
[oss-security] 20211015 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) mailing-list
cve.org
访问
[oss-security] 20211016 Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) mailing-list
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_CONFIRM
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
GLSA-202208-20 vendor-advisory
cve.org
访问
134c704f-9b21-4f2e-91b3-4a467353bcc0 OTHER
nvd.nist.gov
访问
ExploitDB EDB-50406 EXPLOIT
exploitdb
访问
Download Exploit EDB-50406 EXPLOIT
exploitdb
访问
CVE Reference: CVE-2021-42013 ADVISORY
cve.org
访问
ExploitDB EDB-50446 EXPLOIT
exploitdb
访问
Download Exploit EDB-50446 EXPLOIT
exploitdb
访问
ExploitDB EDB-50512 EXPLOIT
exploitdb
访问
Download Exploit EDB-50512 EXPLOIT
exploitdb
访问
CVE Reference: CVE-2021-41773 ADVISORY
cve.org
访问
CVSS评分详情
3.1 (adp)
CRITICAL
9.8
CVSS向量: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
机密性
HIGH
完整性
HIGH
可用性
HIGH
时间信息
发布时间:
2021-10-07 15:50:14
修改时间:
2025-10-21 23:25:30
创建时间:
2025-11-11 15:37:03
更新时间:
2025-11-11 16:59:18
利用信息
此漏洞有可利用代码!
利用代码数量: 3
利用来源:
未知 未知 未知
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2021-42013 2025-11-11 15:21:07 2025-11-11 07:37:03
NVD nvd_CVE-2021-42013 2025-11-11 14:57:43 2025-11-11 07:45:21
CNNVD cnnvd_CNNVD-202110-413 2025-11-11 15:10:44 2025-11-11 07:56:58
EXPLOITDB exploitdb_EDB-50406 2025-11-11 15:05:28 2025-11-11 08:59:03
EXPLOITDB exploitdb_EDB-50446 2025-11-11 15:05:28 2025-11-11 08:59:08
EXPLOITDB exploitdb_EDB-50512 2025-11-11 15:05:28 2025-11-11 08:59:18
版本与语言
当前版本: v6
主要语言: EN
支持语言:
EN ZH
其他标识符:
:
:
:
:
:
:
安全公告
暂无安全公告信息
变更历史
v6 EXPLOITDB
2025-11-11 16:59:18
references_count: 36 → 39; tags_count: 4 → 5
查看详细变更
  • references_count: 36 -> 39
  • tags_count: 4 -> 5
v5 EXPLOITDB
2025-11-11 16:59:08
references_count: 34 → 36; tags_count: 3 → 4
查看详细变更
  • references_count: 34 -> 36
  • tags_count: 3 -> 4
v4 EXPLOITDB
2025-11-11 16:59:03
references_count: 31 → 34; tags_count: 0 → 3; data_sources: ['cnnvd', 'cve', 'nvd'] → ['cnnvd', 'cve', 'exploitdb', 'nvd']
查看详细变更
  • references_count: 31 -> 34
  • tags_count: 0 -> 3
  • data_sources: ['cnnvd', 'cve', 'nvd'] -> ['cnnvd', 'cve', 'exploitdb', 'nvd']
v3 CNNVD
2025-11-11 15:56:58
vulnerability_type: 未提取 → 其他; cnnvd_id: 未提取 → CNNVD-202110-413; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 其他
  • cnnvd_id: 未提取 -> CNNVD-202110-413
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2025-11-11 15:45:21
affected_products_count: 2 → 12; references_count: 30 → 31; data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • affected_products_count: 2 -> 12
  • references_count: 30 -> 31
  • data_sources: ['cve'] -> ['cve', 'nvd']