Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2021-42013

Опубликовано: 07 окт. 2021
Источник: nvd
CVSS3: 9.8
CVSS2: 7.5
EPSS Критический

Описание

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.50:*:*:*:*:*:*:*
Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Конфигурация 3

Одно из

cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
Версия до 9.2.6.0 (исключая)
cpe:2.3:a:oracle:secure_backup:*:*:*:*:*:*:*:*
Версия до 18.1.0.1.0 (исключая)
Конфигурация 4
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*

EPSS

Процентиль: 100%
0.9441
Критический

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-22
CWE-22

Связанные уязвимости

ubuntu логотип

CVE-2021-42013

CVSS3: 9.8
ubuntu
больше 4 лет назад

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

redhat логотип

CVE-2021-42013

CVSS3: 8.1
redhat
больше 4 лет назад

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

debian логотип

CVE-2021-42013

CVSS3: 9.8
debian
больше 4 лет назад

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4 ...

github логотип

GHSA-m24x-wx9p-jqmh

CVSS3: 9.8
github
больше 3 лет назад

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

fstec логотип

BDU:2021-04904

CVSS3: 9.8
fstec
больше 4 лет назад

Уязвимость веб-сервера Apache HTTP Server, связанная с недостатками проверки пути к каталогам, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 100%
0.9441
Критический

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-22
CWE-22