CVE-2021-42013
9.8 CRITICALIt was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient
Published: 2021-10-07 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-22
Affected products
| Vendor | Product |
|---|---|
| apache | cloud_backup, fedora, http_server |
| fedoraproject | cloud_backup, fedora, http_server |
| netapp | cloud_backup, fedora, http_server |
| oracle | cloud_backup, fedora, http_server |
Description
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-42013
- [Other]http://jvn.jp/en/jp/JVN51106450/index.html
- [Exploit reference]http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html
- [Exploit reference]http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
- [Exploit reference]http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html
- [Exploit reference]http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
- [Other]http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-CVE-2021-42013-Exploitation.html
- [Exploit reference]http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-Execution.html
- [Other]http://www.openwall.com/lists/oss-security/2021/10/07/6
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/1
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/2
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/3
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/4
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/5
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/6
- [Other]http://www.openwall.com/lists/oss-security/2021/10/09/1
- [Other]http://www.openwall.com/lists/oss-security/2021/10/11/4
- [Other]http://www.openwall.com/lists/oss-security/2021/10/15/3
- [Other]http://www.openwall.com/lists/oss-security/2021/10/16/1
- [Vendor advisory]https://httpd.apache.org/security/vulnerabilities_24.html
- [Patch]https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E
- [Other]https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E
- [Other]https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/
- [Other]https://security.gentoo.org/glsa/202208-20
- [Other]https://security.netapp.com/advisory/ntap-20211029-0009/
- [Other]https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ
- [Patch]https://www.oracle.com/security-alerts/cpuapr2022.html
- [Patch]https://www.oracle.com/security-alerts/cpujan2022.html
- [Exploit reference]https://www.povilaika.com/apache-2-4-50-exploit/
- [Other]http://jvn.jp/en/jp/JVN51106450/index.html
- [Exploit reference]http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html
- [Exploit reference]http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
- [Exploit reference]http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html
- [Exploit reference]http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html
- [Other]http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-CVE-2021-42013-Exploitation.html
- [Exploit reference]http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-Execution.html
- [Other]http://www.openwall.com/lists/oss-security/2021/10/07/6
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/1
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/2
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/3
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/4
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/5
- [Other]http://www.openwall.com/lists/oss-security/2021/10/08/6
- [Other]http://www.openwall.com/lists/oss-security/2021/10/09/1
- [Other]http://www.openwall.com/lists/oss-security/2021/10/11/4
- [Other]http://www.openwall.com/lists/oss-security/2021/10/15/3
- [Other]http://www.openwall.com/lists/oss-security/2021/10/16/1
- [Vendor advisory]https://httpd.apache.org/security/vulnerabilities_24.html
- [Patch]https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E
- [Other]https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E
- [Other]https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/
- [Other]https://security.gentoo.org/glsa/202208-20
- [Other]https://security.netapp.com/advisory/ntap-20211029-0009/
- [Other]https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ
- [Patch]https://www.oracle.com/security-alerts/cpuapr2022.html
- [Patch]https://www.oracle.com/security-alerts/cpujan2022.html
- [Exploit reference]https://www.povilaika.com/apache-2-4-50-exploit/
- [Other]https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-42013
Related CVEs
Same vendor
- CVE-2026-50645 — There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can l... (7.5 HIGH)
- CVE-2026-50634 — A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticate... (6.5 MEDIUM)
- CVE-2026-50633 — A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an atta... (8.1 HIGH)
- CVE-2026-50632 — A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been ide... (8.1 HIGH)
- CVE-2026-50631 — A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and ... (7.4 HIGH)
Same CWE
- CVE-2026-48777 — FileBrowser Quantum is a free, self-hosted, web-based file manager
- CVE-2026-8442 — The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8 (8.1 HIGH)
- CVE-2026-49766 — Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions (9.9 CRITICAL)
- CVE-2026-49061 — Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions (7.5 HIGH)
- CVE-2026-40779 — Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions (7.7 HIGH)