Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2021-42013

Description

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

POC

Reference

- http://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html

- http://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html

- http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html

- http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html

- http://packetstormsecurity.com/files/165089/Apache-HTTP-Server-2.4.50-CVE-2021-42013-Exploitation.html

- http://packetstormsecurity.com/files/167397/Apache-2.4.50-Remote-Code-Execution.html

- https://www.oracle.com/security-alerts/cpuapr2022.html

- https://www.oracle.com/security-alerts/cpujan2022.html

Github

- https://github.com/0day404/vulnerability-poc

- https://github.com/0day666/Vulnerability-verification

- https://github.com/0x783kb/Security-operation-book

- https://github.com/0x7n6/OSCP

- https://github.com/0xGabe/Apache-CVEs

- https://github.com/0xStrygwyr/OSCP-Guide

- https://github.com/0xZipp0/OSCP

- https://github.com/0xb0rn3/r3cond0g

- https://github.com/0xsyr0/OSCP

- https://github.com/12345qwert123456/CVE-2021-42013

- https://github.com/20142995/pocsuite3

- https://github.com/5gstudent/cve-2021-41773-and-cve-2021-42013

- https://github.com/AMatheusFeitosaM/OSCP-Cheat

- https://github.com/AMazkun/vuln-report-normalizer

- https://github.com/ARPSyndicate/cve-scores

- https://github.com/ARPSyndicate/cvemon

- https://github.com/ARPSyndicate/kenzer-templates

- https://github.com/Adashz/CVE-2021-42013

- https://github.com/AhenKay/INPT_report

- https://github.com/ArrestX/--POC

- https://github.com/Awrrays/FrameVul

- https://github.com/BassoNicolas/CVE-2021-42013

- https://github.com/CHYbeta/Vuln100Topics

- https://github.com/CHYbeta/Vuln100Topics20

- https://github.com/CLincat/vulcat

- https://github.com/CVEDB/PoC-List

- https://github.com/CVEDB/awesome-cve-repo

- https://github.com/CVEDB/top

- https://github.com/CalfCrusher/Path-traversal-RCE-Apache-2.4.49-2.4.50-Exploit

- https://github.com/ChalkingCode/ExploitedDucks

- https://github.com/Davida-AduGyamfi/INPT

- https://github.com/Dorsaa-Francis/inpt_report

- https://github.com/Drajoncr/AttackWebFrameworkTools

- https://github.com/EnriqueSanchezdelVillar/NotesHck

- https://github.com/EsselKobby/Virtual_Infosec_Africa_LAB

- https://github.com/FDlucifer/firece-fish

- https://github.com/Faizan-Khanx/OSCP

- https://github.com/Farrhouq/Inpt-report

- https://github.com/Gekonisko/CTF

- https://github.com/GhostTroops/TOP

- https://github.com/H0j3n/EzpzCheatSheet

- https://github.com/H0j3n/EzpzShell

- https://github.com/H4cking2theGate/TraversalHunter

- https://github.com/Hamesawian/CVE-2021-42013

- https://github.com/HariCyber-Sec/hackviser-cve-labs

- https://github.com/HimmelAward/Goby_POC

- https://github.com/Hydragyrum/CVE-2021-41773-Playground

- https://github.com/IcmpOff/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution-Exploit

- https://github.com/JERRY123S/all-poc

- https://github.com/Jhonsonwannaa/Jhonsonwannaa

- https://github.com/Jhonsonwannaa/cve-2021-42013-apache

- https://github.com/JosephJMRG/apache-docker-project

- https://github.com/K3ysTr0K3R/CVE-2021-42013-EXPLOIT

- https://github.com/K3ysTr0K3R/K3ysTr0K3R

- https://github.com/KayCHENvip/vulnerability-poc

- https://github.com/LayarKacaSiber/CVE-2021-42013

- https://github.com/LoSunny/vulnerability-testing

- https://github.com/Ls4ss/CVE-2021-41773_CVE-2021-42013

- https://github.com/Lucky9113/Automated-Vulnerability-Scanner-Management-Tool

- https://github.com/Luke-cmd/sharecode

- https://github.com/Ly0nt4r/OSCP

- https://github.com/MagicGautam/CVEs-Proof-Of-Concept

- https://github.com/Makavellik/POC-CVE-2021-42013-EXPLOIT

- https://github.com/Mallaichte/efed-management-system

- https://github.com/Miraitowa70/POC-Notes

- https://github.com/Mr-Tree-S/POC_EXP

- https://github.com/Mr-xn/Penetration_Testing_POC

- https://github.com/MrCl0wnLab/SimplesApachePathTraversal

- https://github.com/NaInSec/CVE-PoC-in-GitHub

- https://github.com/NeoOniX/5ATTACK

- https://github.com/NerokiDoki/sec-scanner-final-project

- https://github.com/NyxAzrael/Goby_POC

- https://github.com/OfriOuzan/CVE-2021-41773_CVE-2021-42013_Exploits

- https://github.com/Ostorlab/KEV

- https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors

- https://github.com/PuddinCat/GithubRepoSpider

- https://github.com/ReflectedThanatos/OSCP-cheatsheet

- https://github.com/Rubikcuv5/cve-2021-42013

- https://github.com/SYRTI/POC_to_review

- https://github.com/Samue290/INPT-REPORT

- https://github.com/SantoriuHen/NotesHck

- https://github.com/SenukDias/OSCP_cheat

- https://github.com/Shadow-warrior0/Apache_path_traversal

- https://github.com/Shadowven/Vulnerability_Reproduction

- https://github.com/SirElmard/ethical_hacking

- https://github.com/TheLastVvV/CVE-2021-42013

- https://github.com/TheLastVvV/CVE-2021-42013_Reverse-Shell

- https://github.com/Threekiii/Awesome-POC

- https://github.com/Threekiii/Vulhub-Reproduce

- https://github.com/Urbank-61/CSC180Final

- https://github.com/Urbank-61/Urbank-61-CSC180CVEProject

- https://github.com/Vamckis/Container-Security

- https://github.com/Vanshuk-Bhagat/Apache-HTTP-Server-Vulnerabilities-CVE-2021-41773-and-CVE-2021-42013

- https://github.com/VishuGahlyan/OSCP

- https://github.com/Vulnmachines/cve-2021-42013

- https://github.com/WhooAmii/POC_to_review

- https://github.com/XiaomingX/awesome-poc-for-red-team

- https://github.com/Z0fhack/Goby_POC

- https://github.com/Zeop-CyberSec/apache_normalize_path

- https://github.com/Zero094/Vulnerability-verification

- https://github.com/Zeyad-Azima/Remedy4me

- https://github.com/Zyx2440/Apache-HTTP-Server-2.4.50-RCE

- https://github.com/adugyeni/INPT_Report

- https://github.com/ahmad4fifz/CVE-2021-41773

- https://github.com/ahmad4fifz/CVE-2021-42013

- https://github.com/ahur4/unsafe

- https://github.com/allengerysena/belajar-pentest-aplikasi-web

- https://github.com/alpaykuzu/PortScanner-CVE-Tool

- https://github.com/amessedad/autoexploitGPT

- https://github.com/andrea-mattioli/apache-exploit-CVE-2021-42013

- https://github.com/anquanscan/sec-tools

- https://github.com/asaotomo/CVE-2021-42013-Apache-RCE-Poc-Exp

- https://github.com/asepsaepdin/CVE-2021-42013

- https://github.com/azazelm3dj3d/apache-traversal

- https://github.com/bakery312/Vulhub-Reproduce

- https://github.com/bananoname/cve-2021-42013

- https://github.com/battleoverflow/apache-traversal

- https://github.com/birdlinux/CVE-2021-42013

- https://github.com/blackn0te/Apache-HTTP-Server-2.4.49-2.4.50-Path-Traversal-Remote-Code-Execution

- https://github.com/cc8700619/poc

- https://github.com/cihan-atas/cyberexam-rooms

- https://github.com/cipher387/awesome-ip-search-engines

- https://github.com/corelight/CVE-2021-41773

- https://github.com/cyberanand1337x/bug-bounty-2022

- https://github.com/cybfar/cve-2021-42013-httpd

- https://github.com/d4n-sec/d4n-sec.github.io

- https://github.com/daffum3/internal-network-pentesting

- https://github.com/danryafuz/CS564_Project

- https://github.com/davincico/ChatGPT-2-HACKER

- https://github.com/defronixpro/Defronix-Cybersecurity-Roadmap

- https://github.com/dial25sd/arf-vulnerable-vm

- https://github.com/dream434/cve-2021-42013-apache

- https://github.com/dream434/dream434

- https://github.com/duggytuxy/Data-Shield_IPv4_Blocklist

- https://github.com/duggytuxy/Intelligence_IPv4_Blocklist

- https://github.com/e-hakson/OSCP

- https://github.com/eljosep/OSCP-Guide

- https://github.com/enciphers-team/cve-exploits

- https://github.com/enomothem/PenTestNote

- https://github.com/exfilt/CheatSheet

- https://github.com/f-this/f-apache

- https://github.com/fazilbaig1/oscp

- https://github.com/fc0d3x/softuni-recon-exam

- https://github.com/g1san/Agents-for-Vulnerable-Dockers-and-related-Benchmarks

- https://github.com/gugas1nwork/apache-traversal

- https://github.com/gwyomarch/CVE-Collection

- https://github.com/hackedrishi/CTF_WRITEUPS-TryHackMe-CVE-2021-41773-

- https://github.com/hackgnar/setc

- https://github.com/hadrian3689/apache_2.4.50

- https://github.com/heane404/CVE_scan

- https://github.com/hktalent/TOP

- https://github.com/honypot/CVE-2021-41773

- https://github.com/honypot/CVE-2021-42013

- https://github.com/huimzjty/vulwiki

- https://github.com/hungnqdz/cve

- https://github.com/hxysaury/saury-vulnhub

- https://github.com/ibrahimetecicek/Advent-of-Cyber-3-2021-

- https://github.com/im-hanzou/apachrot

- https://github.com/imhunterand/ApachSAL

- https://github.com/imhunterand/CVE-2021-42013

- https://github.com/imthenachoman/How-To-Secure-A-Linux-Server

- https://github.com/inbug-team/CVE-2021-41773_CVE-2021-42013

- https://github.com/israelbarnabas/inpt-report

- https://github.com/jas9reet/CVE-2021-42013-LAB

- https://github.com/jaychen2/NIST-BULK-CVE-Lookup

- https://github.com/jbmihoub/all-poc

- https://github.com/jitmondal1/OSCP

- https://github.com/kellisfen/13-01.md

- https://github.com/kgwanjala/oscp-cheatsheet

- https://github.com/kmukoo101/CVEye

- https://github.com/krlabs/apache-vulnerabilities

- https://github.com/ksanchezcld/httpd-2.4.49

- https://github.com/lekctut/sdb-hw-13-01

- https://github.com/lions2012/Penetration_Testing_POC

- https://github.com/ltfafei/my_POC

- https://github.com/lucagioacchini/auto-pen-bench

- https://github.com/macEar/cve-playground

- https://github.com/malwaremily/infosec-news-briefs

- https://github.com/mauricelambert/CVE-2021-42013

- https://github.com/mauricelambert/mauricelambert.github.io

- https://github.com/merlinepedra/AttackWebFrameworkTools-5.0

- https://github.com/merlinepedra25/AttackWebFrameworkTools-5.0

- https://github.com/metecicek/Advent-of-Cyber-3-2021-

- https://github.com/micaelarg/vulnerability_scanner_public

- https://github.com/mightysai1997/-apache_2.4.50

- https://github.com/mightysai1997/cve-2021-42013

- https://github.com/mightysai1997/cve-2021-42013.get

- https://github.com/mightysai1997/cve-2021-42013L

- https://github.com/misakitanabe/mastery_extension

- https://github.com/mr-exo/CVE-2021-41773

- https://github.com/nholuongut/secure-a-linux-server

- https://github.com/nitishbadole/oscp-note-3

- https://github.com/nomi-sec/PoC-in-GitHub

- https://github.com/odaysec/PwnTraverse

- https://github.com/oscpname/OSCP_cheat

- https://github.com/parth45/cheatsheet

- https://github.com/paultheal1en/auto_pen_bench_web

- https://github.com/pedr0alencar/vlab-metasploitable2

- https://github.com/peiqiF4ck/WebFrameworkTools-5.1-main

- https://github.com/peiqiF4ck/WebFrameworkTools-5.5

- https://github.com/peiqiF4ck/WebFrameworkTools-5.5-enhance

- https://github.com/pen4uin/awesome-vulnerability-research

- https://github.com/pen4uin/vulnerability-research

- https://github.com/pen4uin/vulnerability-research-list

- https://github.com/pisut4152/Sigma-Rule-for-CVE-2021-41773-and-CVE-2021-42013-exploitation-attempt

- https://github.com/plzheheplztrying/cve_monitor

- https://github.com/psibot/apache-vulnerable

- https://github.com/pwn3z/CVE-2021-41773-Apache-RCE

- https://github.com/pwnosec/ApachSAL

- https://github.com/q99266/saury-vulnhub

- https://github.com/quentin33980/ToolBox-qgt

- https://github.com/r0otk3r/CVE-2021-41773

- https://github.com/rafifdna/CVE-2021-42013

- https://github.com/ralvares/security-demos

- https://github.com/randomAnalyst/PoC-Fetcher

- https://github.com/ranhn/Goby-Poc

- https://github.com/retr0-13/apachrot

- https://github.com/revanmalang/OSCP

- https://github.com/rnsss/CVE-2021-42013

- https://github.com/robotsense1337/CVE-2021-42013

- https://github.com/sakshiishukla/Python-Vulnerability-Scanner

- https://github.com/samglish/ServerSide

- https://github.com/sergiovks/LFI-RCE-Unauthenticated-Apache-2.4.49-2.4.50

- https://github.com/shengshengli/AttackWebFrameworkTools-5.0

- https://github.com/skentagon/CVE-2021-41773

- https://github.com/soosmile/POC

- https://github.com/sparktsao/auto-pen-bench-study

- https://github.com/superlink996/chunqiuyunjingbachang

- https://github.com/tangxiaofeng7/CVE-2022-22947-Spring-Cloud-Gateway

- https://github.com/theLSA/apache-httpd-path-traversal-checker

- https://github.com/thexnumb/thexwriteup

- https://github.com/theykillmeslowly/CVE-2021-42013

- https://github.com/trhacknon/Pocingit

- https://github.com/twseptian/CVE-2021-41773

- https://github.com/twseptian/CVE-2021-42013-Docker-Lab

- https://github.com/twseptian/cve-2021-41773

- https://github.com/twseptian/cve-2021-41773-docker-lab

- https://github.com/twseptian/cve-2021-42013-docker-lab

- https://github.com/txuswashere/OSCP

- https://github.com/viliuspovilaika/cve-2021-42013

- https://github.com/vishal-rathod-1/shell_gpt

- https://github.com/vudala/CVE-2021-42013

- https://github.com/vulf/CVE-2021-41773_42013

- https://github.com/walnutsecurity/cve-2021-42013

- https://github.com/wangfly-me/Apache_Penetration_Tool

- https://github.com/weeka10/-hktalent-TOP

- https://github.com/winterwolf32/CVE-S---Penetration_Testing_POC-

- https://github.com/xMohamed0/CVE-2021-42013-ApacheRCE

- https://github.com/xhref/OSCP

- https://github.com/xuetusummer/Penetration_Testing_POC

- https://github.com/yigitcantunay35/Reconx

- https://github.com/zecool/cve

- https://github.com/zerodaywolf/CVE-2021-41773_42013