VDB
DEBIAN-CVE-2021-41773
DEBIAN-CVE-2021-41773
PUBLISHED
CVSS 9.800000190734863 CRITICAL
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
Risk Scores
CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | apache2 | 0, 0, 0 |
| Debian:12 | apache2 | 0, 0, 0 |
| Debian:13 | apache2 | 0, 0, 0 |
Exploit Intelligence
- Prueba de concepto de CVE-2021-41773 (github-poc)
- Prueba de concepto de CVE-2021-41773 (github-poc-repo)
- 「🪶」PoC (Proof of concept) of Path traversal + RCE in Apache HTTP Server 2.4.49 (github-poc-repo)
- 「🪶」PoC (Proof of concept) of Path traversal + RCE in Apache HTTP Server 2.4.49 (github-poc)
- Apache HTTP Server 2.4.49 Path Traversal Vulnerability Reproduction (github-poc-repo)
- Apache HTTP Server 2.4.49 Path Traversal Vulnerability Reproduction (github-poc)
- im2sinister/CVE-2021-41773 (github-poc-repo)
- im2sinister/CVE-2021-41773 (github-poc)
- Kouf320/docker-lab-cve-2017-5638-cve-2021-41773 (github-poc-repo)
- Kouf320/docker-lab-cve-2017-5638-cve-2021-41773 (github-poc)
…and 233 more exploits
Timeline
- Oct 5, 2021 CVE Published
- Apr 28, 2026 CVE Updated