CVE-2021-41773
9.8 CRITICALA flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49
Published: 2021-10-05 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-22
Affected products
| Vendor | Product |
|---|---|
| apache | cloud_backup, fedora, http_server |
| fedoraproject | cloud_backup, fedora, http_server |
| netapp | cloud_backup, fedora, http_server |
| oracle | cloud_backup, fedora, http_server |
Description
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-41773
- [Exploit reference]http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal-Remote-Code-Execution.html
- [Exploit reference]http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal.html
- [Exploit reference]http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html
- [Exploit reference]http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
- [Other]http://www.openwall.com/lists/oss-security/2021/10/05/2
- [Other]http://www.openwall.com/lists/oss-security/2021/10/07/1
- [Other]http://www.openwall.com/lists/oss-security/2021/10/07/6
- [Exploit reference]http://www.openwall.com/lists/oss-security/2021/10/08/1
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/2
- [Exploit reference]http://www.openwall.com/lists/oss-security/2021/10/08/3
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/4
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/5
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/6
- [Other]http://www.openwall.com/lists/oss-security/2021/10/09/1
- [Patch]http://www.openwall.com/lists/oss-security/2021/10/11/4
- [Patch]http://www.openwall.com/lists/oss-security/2021/10/15/3
- [Other]http://www.openwall.com/lists/oss-security/2021/10/16/1
- [Vendor advisory]https://httpd.apache.org/security/vulnerabilities_24.html
- [Patch]https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E
- [Other]https://lists.apache.org/thread.html/r6abf5f2ba6f1aa8b1030f95367aaf17660c4e4c78cb2338aee18982f%40%3Cusers.httpd.apache.org%3E
- [Other]https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E
- [Other]https://lists.apache.org/thread.html/r98d704ed4377ed889d40479db79ed1ee2f43b2ebdd79ce84b042df45%40%3Cannounce.apache.org%3E
- [Other]https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/
- [Other]https://security.gentoo.org/glsa/202208-20
- [Other]https://security.netapp.com/advisory/ntap-20211029-0009/
- [Other]https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ
- [Patch]https://www.oracle.com/security-alerts/cpujan2022.html
- [Exploit reference]http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal-Remote-Code-Execution.html
- [Exploit reference]http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal.html
- [Exploit reference]http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html
- [Exploit reference]http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
- [Other]http://www.openwall.com/lists/oss-security/2021/10/05/2
- [Other]http://www.openwall.com/lists/oss-security/2021/10/07/1
- [Other]http://www.openwall.com/lists/oss-security/2021/10/07/6
- [Exploit reference]http://www.openwall.com/lists/oss-security/2021/10/08/1
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/2
- [Exploit reference]http://www.openwall.com/lists/oss-security/2021/10/08/3
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/4
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/5
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/6
- [Other]http://www.openwall.com/lists/oss-security/2021/10/09/1
- [Patch]http://www.openwall.com/lists/oss-security/2021/10/11/4
- [Patch]http://www.openwall.com/lists/oss-security/2021/10/15/3
- [Other]http://www.openwall.com/lists/oss-security/2021/10/16/1
- [Vendor advisory]https://httpd.apache.org/security/vulnerabilities_24.html
- [Patch]https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E
- [Other]https://lists.apache.org/thread.html/r6abf5f2ba6f1aa8b1030f95367aaf17660c4e4c78cb2338aee18982f%40%3Cusers.httpd.apache.org%3E
- [Other]https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E
- [Other]https://lists.apache.org/thread.html/r98d704ed4377ed889d40479db79ed1ee2f43b2ebdd79ce84b042df45%40%3Cannounce.apache.org%3E
- [Other]https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/
- [Other]https://security.gentoo.org/glsa/202208-20
- [Other]https://security.netapp.com/advisory/ntap-20211029-0009/
- [Other]https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ
- [Patch]https://www.oracle.com/security-alerts/cpujan2022.html
- [Other]https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-41773
Related CVEs
Same vendor
- CVE-2026-50645 — There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can l... (7.5 HIGH)
- CVE-2026-50634 — A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticate... (6.5 MEDIUM)
- CVE-2026-50633 — A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an atta... (8.1 HIGH)
- CVE-2026-50632 — A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been ide... (8.1 HIGH)
- CVE-2026-50631 — A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and ... (7.4 HIGH)
Same CWE
- CVE-2026-48777 — FileBrowser Quantum is a free, self-hosted, web-based file manager
- CVE-2026-8442 — The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8 (8.1 HIGH)
- CVE-2026-49766 — Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions (9.9 CRITICAL)
- CVE-2026-49061 — Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions (7.5 HIGH)
- CVE-2026-40779 — Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions (7.7 HIGH)