CVE-2021-42013
9.8 CRITICAL
📋 TL;DR
CVE-2021-42013 is a critical path traversal vulnerability in Apache HTTP Server that allows attackers to access files outside configured directories. If CGI scripts are enabled for aliased paths, this can lead to remote code execution. Only Apache versions 2.4.49 and 2.4.50 are affected.
💻 Affected Systems
Products:
- Apache HTTP Server
Versions: 2.4.49 and 2.4.50 only
Operating Systems: All operating systems running affected Apache versions
Default Config Vulnerable:
⚠️ Yes
Notes: Vulnerability requires specific path traversal patterns and depends on directory configuration. CGI script execution amplifies risk.
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with full system compromise if CGI is enabled and files outside aliased directories are not properly restricted.
Likely Case
Unauthorized file access and potential information disclosure from sensitive files.
If Mitigated
Limited impact if 'require all denied' is properly configured for all directories.
🌐 Internet-Facing: HIGH - Web servers are directly exposed and exploit is unauthenticated.
🏢 Internal Only: MEDIUM - Internal attackers could still exploit but requires network access.
🎯 Exploit Status
Public PoC:
⚠️ Yes
Weaponized:
CONFIRMED
Unauthenticated Exploit:
⚠️ Yes
Complexity:
LOW
Multiple public exploit scripts and proof-of-concepts are available. Attack requires specific URL patterns but is straightforward to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache HTTP Server 2.4.51
Vendor Advisory: https://httpd.apache.org/security/vulnerabilities_24.html
Restart Required: Yes
Instructions:
1. Download Apache 2.4.51 or later from official Apache website. 2. Stop Apache service. 3. Backup configuration files. 4. Install new version. 5. Restart Apache service.
🔧 Temporary Workarounds
Disable CGI for aliased paths
allPrevent remote code execution by disabling CGI script execution for vulnerable path configurations.
# In Apache configuration, ensure: Options -ExecCGI
# Or specifically: <Directory "/path/to/aliased">
Options -ExecCGI
</Directory>
Implement strict directory permissions
allEnsure all directories outside aliased paths have 'require all denied' configuration.
# In Apache configuration:
<Directory "/">
Require all denied
</Directory>
# Then explicitly allow only necessary directories
🧯 If You Can't Patch
- Immediately upgrade to Apache 2.4.51 or later - this is the only complete fix.
- If upgrade is impossible, implement WAF rules to block path traversal patterns and restrict CGI execution.
🔍 How to Verify
Check if Vulnerable:
Check Apache version with 'httpd -v' or 'apache2 -v'. If version is 2.4.49 or 2.4.50, system is vulnerable.Check Version:
httpd -v (or apache2 -v on some systems)Verify Fix Applied:
After patching, verify version shows 2.4.51 or later. Test with known exploit patterns to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- URL requests containing '..' or encoded path traversal patterns like '%2e%2e'
- Access to files outside expected document root
- CGI script execution from unexpected paths
Network Indicators:
- HTTP requests with path traversal patterns to Apache servers
- Unusual file access patterns from single source
SIEM Query:
source="apache_access" AND (uri="*..*" OR uri="*%2e%2e*" OR uri="*%252e%252e*")🔗 References
- http://jvn.jp/en/jp/JVN51106450/index.html
- http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html
- http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-CVE-2021-42013-Exploitation.html
- http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-Execution.html
- http://www.openwall.com/lists/oss-security/2021/10/07/6
- http://www.openwall.com/lists/oss-security/2021/10/08/1
- http://www.openwall.com/lists/oss-security/2021/10/08/2
- http://www.openwall.com/lists/oss-security/2021/10/08/3
- http://www.openwall.com/lists/oss-security/2021/10/08/4
- http://www.openwall.com/lists/oss-security/2021/10/08/5
- http://www.openwall.com/lists/oss-security/2021/10/08/6
- http://www.openwall.com/lists/oss-security/2021/10/09/1
- http://www.openwall.com/lists/oss-security/2021/10/11/4
- http://www.openwall.com/lists/oss-security/2021/10/15/3
- http://www.openwall.com/lists/oss-security/2021/10/16/1
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20211029-0009/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.povilaika.com/apache-2-4-50-exploit/
- http://jvn.jp/en/jp/JVN51106450/index.html
- http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html
- http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-CVE-2021-42013-Exploitation.html
- http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-Execution.html
- http://www.openwall.com/lists/oss-security/2021/10/07/6
- http://www.openwall.com/lists/oss-security/2021/10/08/1
- http://www.openwall.com/lists/oss-security/2021/10/08/2
- http://www.openwall.com/lists/oss-security/2021/10/08/3
- http://www.openwall.com/lists/oss-security/2021/10/08/4
- http://www.openwall.com/lists/oss-security/2021/10/08/5
- http://www.openwall.com/lists/oss-security/2021/10/08/6
- http://www.openwall.com/lists/oss-security/2021/10/09/1
- http://www.openwall.com/lists/oss-security/2021/10/11/4
- http://www.openwall.com/lists/oss-security/2021/10/15/3
- http://www.openwall.com/lists/oss-security/2021/10/16/1
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20211029-0009/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.povilaika.com/apache-2-4-50-exploit/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-42013
