Back to KEVs

CVE-2021-41773

Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49

Basic Information

CVE State
PUBLISHED
Reserved Date
September 29, 2021
Published Date
October 05, 2021
Last Updated
February 04, 2025
Vendor
Apache Software Foundation
Product
Apache HTTP Server
Description
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

CVSS Scores

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (added 2021-11-03 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2022-11-18 12:23:04 UTC) Source
Used in Malware
Yes (added 2021-11-03 00:00:00 UTC) Source

References

https://httpd.apache.org/security/vulnerabilities_24.html https://lists.apache.org/thread.html/r6abf5f2ba6f1aa8b1030f95367aaf17660c4e4c78cb2338aee18982f%40%3Cusers.httpd.apache.org%3E https://lists.apache.org/thread.html/r98d704ed4377ed889d40479db79ed1ee2f43b2ebdd79ce84b042df45%40%3Cannounce.apache.org%3E http://www.openwall.com/lists/oss-security/2021/10/05/2 http://www.openwall.com/lists/oss-security/2021/10/07/1 https://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837%40%3Cannounce.apache.org%3E https://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb%40%3Cusers.httpd.apache.org%3E http://www.openwall.com/lists/oss-security/2021/10/07/6 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ http://www.openwall.com/lists/oss-security/2021/10/08/1 https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3%40%3Ccvs.httpd.apache.org%3E http://www.openwall.com/lists/oss-security/2021/10/08/2 http://www.openwall.com/lists/oss-security/2021/10/08/3 http://www.openwall.com/lists/oss-security/2021/10/08/4 http://www.openwall.com/lists/oss-security/2021/10/08/6 http://www.openwall.com/lists/oss-security/2021/10/08/5 http://www.openwall.com/lists/oss-security/2021/10/09/1 http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal.html http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal-Remote-Code-Execution.html http://www.openwall.com/lists/oss-security/2021/10/11/4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/ http://www.openwall.com/lists/oss-security/2021/10/15/3 http://www.openwall.com/lists/oss-security/2021/10/16/1 https://www.oracle.com/security-alerts/cpujan2022.html https://security.netapp.com/advisory/ntap-20211029-0009/ http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html https://security.gentoo.org/glsa/202208-20

Known Exploited Vulnerability Information

Source Added Date
CISA 2021-11-03 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_normalize_path_rce.rb 2025-04-29 11:01:20 UTC
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-41773.yaml 2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

Vanshuk-Bhagat/Apache-HTTP-Server-Vulnerabilities-CVE-2021-41773-and-CVE-2021-42013

Type: github • Created: 2025-03-11 07:56:58 UTC • Stars: 0

In this project, I documented a detailed penetration testing process targeting Apache HTTP Server vulnerabilities, specifically CVE-2021-41773 and CVE-2021-42013, which involve Path Traversal and Remote Code Execution (RCE).

belajarqywok/CVE-2021-41773-MSF

Type: github • Created: 2023-08-11 12:12:09 UTC • Stars: 6

Simple Metasploit-Framework module for conducting website penetration tests (CVE-2021-41773).

OfriOuzan/CVE-2021-41773_CVE-2021-42013_Exploits

Type: github • Created: 2023-08-02 09:50:10 UTC • Stars: 4

Exploit CVE-2021-41773 and CVE-2021-42013

12345qwert123456/CVE-2021-41773

Type: github • Created: 2022-11-18 12:23:04 UTC • Stars: 0

Vulnerable configuration Apache HTTP Server version 2.4.49

aqiao-jashell/py-CVE-2021-41773

Type: github • Created: 2022-11-01 09:17:03 UTC • Stars: 7

python编写的apache路径穿越poc&exp

aqiao-jashell/CVE-2021-41773

Type: github • Created: 2022-11-01 05:58:59 UTC • Stars: 9

apache路径穿越漏洞poc&exp

Habib0x0/CVE-2021-41773

Type: github • Created: 2022-06-07 11:22:08 UTC • Stars: 2

CVE-2021-41773 | Apache HTTP Server 2.4.49 is vulnerable to Path Traversal and Remote Code execution attacks

Chocapikk/CVE-2021-41773

Type: github • Created: 2022-04-12 13:25:58 UTC • Stars: 2

thehackersbrain/CVE-2021-41773

Type: github • Created: 2022-03-12 21:24:55 UTC • Stars: 107

Apache2 2.4.49 - LFI & RCE Exploit - CVE-2021-41773

mauricelambert/CVE-2021-41773

Type: github • Created: 2022-03-08 21:55:53 UTC • Stars: 1

These Metasploit, Nmap, Python and Ruby scripts detects and exploits CVE-2021-41773 with RCE and local file disclosure.

Soliux/CVE-2021-41773

Type: github • Created: 2021-11-11 15:10:08 UTC • Stars: 2

On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.

pirenga/CVE-2021-41773

Type: github • Created: 2021-11-11 13:10:05 UTC • Stars: 0

Ce programme permet de détecter une faille RCE sur les serveurs Apache 2.4.49 et Apache 2.4.50

Hydragyrum/CVE-2021-41773-Playground

Type: github • Created: 2021-11-04 22:52:44 UTC • Stars: 6

Some docker images to play with CVE-2021-41773 and CVE-2021-42013

mr-exo/CVE-2021-41773

Type: github • Created: 2021-10-26 17:56:25 UTC • Stars: 10

Remote Code Execution exploit for Apache servers. Affected versions: Apache 2.4.49, Apache 2.4.50

zerodaywolf/CVE-2021-41773_42013

Type: github • Created: 2021-10-18 12:01:58 UTC • Stars: 2

Lab setup for CVE-2021-41773 (Apache httpd 2.4.49) and CVE-2021-42013 (Apache httpd 2.4.50).

lopqto/CVE-2021-41773_Honeypot

Type: github • Created: 2021-10-16 15:30:34 UTC • Stars: 2

Simple honeypot for CVE-2021-41773 vulnerability

LudovicPatho/CVE-2021-41773

Type: github • Created: 2021-10-15 21:38:48 UTC • Stars: 3

The first vulnerability with the CVE identifier CVE-2021-41773 is a path traversal flaw that exists in Apache HTTP Server 2.4.49.

inbug-team/CVE-2021-41773_CVE-2021-42013

Type: github • Created: 2021-10-09 03:32:18 UTC • Stars: 147

CVE-2021-41773 CVE-2021-42013漏洞批量检测工具

superzerosec/CVE-2021-41773

Type: github • Created: 2021-10-08 15:40:41 UTC • Stars: 3

POC

zeronine9/CVE-2021-41773

Type: github • Created: 2021-10-08 07:24:49 UTC • Stars: 11

Fast python tool to test apache path traversal CVE-2021-41773 in a List of url

corelight/CVE-2021-41773

Type: github • Created: 2021-10-08 06:54:27 UTC • Stars: 1

A Zeek package which raises notices for Path Traversal/RCE in Apache HTTP Server 2.4.49 (CVE-2021-41773) and 2.4.50 (CVE-2021-42013)

0xRar/CVE-2021-41773

Type: github • Created: 2021-10-08 04:26:31 UTC • Stars: 7

Exploit for Apache 2.4.49

shellreaper/CVE-2021-41773

Type: github • Created: 2021-10-08 01:13:33 UTC • Stars: 1

This is a simple POC for Apache/2.4.49 Path Traversal Vulnerability

McSl0vv/CVE-2021-41773

Type: github • Created: 2021-10-07 14:41:05 UTC • Stars: 0

Apache 2.4.49 Exploit

noflowpls/CVE-2021-41773

Type: github • Created: 2021-10-07 12:30:13 UTC • Stars: 6

CVE-2021-41773

orangmuda/CVE-2021-41773

Type: github • Created: 2021-10-07 00:14:40 UTC • Stars: 3

Apache HTTPd (2.4.49) – Local File Disclosure (LFI)

jheeree/Simple-CVE-2021-41773-checker

Type: github • Created: 2021-10-06 23:32:30 UTC • Stars: 2

Simple script realizado en bash, para revisión de múltiples hosts para CVE-2021-41773 (Apache)

AssassinUKG/CVE-2021-41773

Type: github • Created: 2021-10-06 21:37:18 UTC • Stars: 2

Apache 2.4.49

n3k00n3/CVE-2021-41773

Type: github • Created: 2021-10-06 19:39:25 UTC • Stars: 1

exploit to CVE-2021-41773

BlueTeamSteve/CVE-2021-41773

Type: github • Created: 2021-10-06 14:47:23 UTC • Stars: 20

Vulnerable docker images for CVE-2021-41773

ranggaggngntt/CVE-2021-41773

Type: github • Created: 2021-10-06 14:36:05 UTC • Stars: 0

1nhann/CVE-2021-41773

Type: github • Created: 2021-10-06 14:17:31 UTC • Stars: 10

CVE-2021-41773 的复现

jbovet/CVE-2021-41773

Type: github • Created: 2021-10-06 13:39:57 UTC • Stars: 4

Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)

blasty/CVE-2021-41773

Type: github • Created: 2021-10-06 07:17:05 UTC • Stars: 208

CVE-2021-41773 playground

creadpag/CVE-2021-41773-POC

Type: github • Created: 2021-10-06 05:34:48 UTC • Stars: 8

CVE-2021-41773

habibiefaried/CVE-2021-41773-PoC

Type: github • Created: 2021-10-06 03:01:41 UTC • Stars: 4

PoC for CVE-2021-41773 with docker to demonstrate

itsecurityco/CVE-2021-41773

Type: github • Created: 2021-10-06 02:30:40 UTC • Stars: 11

CVE-2021-41773 POC with Docker

Ls4ss/CVE-2021-41773_CVE-2021-42013

Type: github • Created: 2021-10-06 02:28:41 UTC • Stars: 21

Apache HTTP Server 2.4.49, 2.4.50 - Path Traversal & RCE

lorddemon/CVE-2021-41773-PoC

Type: github • Created: 2021-10-05 23:53:48 UTC • Stars: 37

TishcaTpx/POC-CVE-2021-41773

Type: github • Created: 2021-10-05 20:41:34 UTC • Stars: 6

Poc.py

j4k0m/CVE-2021-41773

Type: github • Created: 2021-10-05 20:30:01 UTC • Stars: 12

Exploitation of CVE-2021-41773 a Directory Traversal in Apache 2.4.49.

iilegacyyii/PoC-CVE-2021-41773

Type: github • Created: 2021-10-05 17:30:43 UTC • Stars: 47

ZephrFish/CVE-2021-41773-PoC

Type: github • Created: 2021-10-05 17:29:49 UTC • Stars: 17

knqyf263/CVE-2021-41773

Type: github • Created: 2021-10-05 16:45:41 UTC • Stars: 10

Path traversal in Apache HTTP Server 2.4.49 (CVE-2021-41773)

numanturle/CVE-2021-41773

Type: github • Created: 2021-10-05 16:18:09 UTC • Stars: 9

CVE-2021-41773