CVE-2021-41773

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.49 through 2.4.50

Description A flaw in path normalization allows a remote attacker to perform a path traversal attack, mapping URLs to files outside the directories configured by Alias-like directives. This occurs if the files are not protected by the default "require all denied" configuration. If CGI scripts are enabled for these paths, the issue can lead to remote code execution. This issue has been exploited in the wild.

Recommendations Update Apache HTTP Server to a version later than 2.4.50. As a temporary workaround, ensure that the configuration "require all denied" is applied to directories outside the intended alias paths and restrict the use of CGI scripts in those locations.

Exploit

Fix

RCE

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALSA-2021_3816

ALSA-2022_0891

ALSA-2022_1915

ALSA-2023_1670

ALSA-2023_1673

ALSA-2025_16880

ALT-PU-2021-2994

ALT-PU-2021-3018

ALT-PU-2021-3037

ALT-PU-2021-3060

BDU:2021-04903

BIT-APACHE-2021-41773

CVE-2021-41773

MGASA-2021-0461

OPENSUSE-SU-2024:11560-1

Affected Products

Alt Linux

Apache Http Server

CVE-2021-41773

Weakness Enumeration

Related Identifiers

Affected Products

References · 291