CVE-2021-41773

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-41773
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41773.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-41773
Aliases
Downstream
Related
Published
2021-10-05T09:15:07.593Z
Modified
2026-04-02T07:34:15.706352Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

References

Affected packages

Git / github.com/apache/httpd

Affected ranges

Type
GIT
Repo
https://github.com/apache/httpd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
bbacd798d1494b5a99f4e3edab068ccc77b03b7e
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.4.49"
        }
    ]
}

Affected versions

1.*
1.2.0
1.2.1
1.2.2
1.3
1.3.0
1.3.1
1.3.10
1.3.11
1.3.12
1.3.13
1.3.14
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
2.*
2.0.1
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.0.18
2.0.19
2.0.2
2.0.20
2.0.21
2.0.22
2.0.23
2.0.24
2.0.25
2.0.26
2.0.27
2.0.28
2.0.29
2.0.3
2.0.30
2.0.31
2.0.32
2.0.33
2.0.34
2.0.35
2.0.36
2.0.37
2.0.38
2.0.39
2.0.4
2.0.40
2.0.41
2.0.42
2.0.43
2.0.44
2.0.45
2.0.46
2.0.47
2.0.48
2.0.49
2.0.5
2.0.50
2.0.51
2.0.52
2.0.53
2.0.54
2.0.55
2.0.56
2.0.57
2.0.58
2.0.59
2.0.6
2.0.60
2.0.61
2.0.62
2.0.63
2.0.64
2.0.65
2.0.7
2.0.8
2.0.9
2.1.1
2.1.10
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.2.0
2.2.1
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19
2.2.2
2.2.20
2.2.21
2.2.22
2.2.23
2.2.24
2.2.25
2.2.26
2.2.27
2.2.28
2.2.29
2.2.3
2.2.30
2.2.31
2.2.32
2.2.33
2.2.34
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.3.0
2.3.1
2.3.10
2.3.11
2.3.12
2.3.13
2.3.14
2.3.15
2.3.16
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.4.0
2.4.1
2.4.10
2.4.11
2.4.12
2.4.13
2.4.14
2.4.15
2.4.16
2.4.17
2.4.18
2.4.19
2.4.2
2.4.20
2.4.21
2.4.22
2.4.23
2.4.24
2.4.25
2.4.26
2.4.27
2.4.28
2.4.29
2.4.3
2.4.30
2.4.31
2.4.32
2.4.33
2.4.34
2.4.35
2.4.36
2.4.37
2.4.38
2.4.39
2.4.4
2.4.40
2.4.41
2.4.42
2.4.43
2.4.44
2.4.45
2.4.46
2.4.47
2.4.48
2.4.49
2.4.5
2.4.50
2.4.51
2.4.52
2.4.53
2.4.53-rc1-candidate
2.4.53-rc2-candidate
2.4.54
2.4.54-rc1-candidate
2.4.54-rc2-candidate
2.4.54-rc3-candidate
2.4.55
2.4.55-rc1-candidate
2.4.56
2.4.56-candidate
2.4.56-rc1-candidate
2.4.57
2.4.57-rc1-candidate
2.4.58
2.4.58-rc1-candidate
2.4.58-rc2-candidate
2.4.58-rc3-candidate
2.4.59
2.4.59-rc1-candidate
2.4.6
2.4.60
2.4.60-rc1-candidate
2.4.60-rc2-candidate
2.4.60-rc3-candidate
2.4.60-rc4-candidate
2.4.61
2.4.61-rc1-candidate
2.4.62
2.4.62-rc1-candidate
2.4.63
2.4.63-candidate
2.4.64
2.4.64-rc1-candidate
2.4.64-rc2-candidate
2.4.65
2.4.65-rc1-candidate
2.4.65-rc2-candidate
2.4.65-rc3-candidate
2.4.66
2.4.66-rc1-candidate
2.4.7
2.4.8
2.4.9
2.5.0-alpha
2.5.0-alpha2-ci-test-only
Other
AGB_BEFORE_AAA_CHANGES
APACHE_1_2b1
APACHE_1_2b10
APACHE_1_2b11
APACHE_1_2b2
APACHE_1_2b3
APACHE_1_2b4
APACHE_1_2b5
APACHE_1_2b6
APACHE_1_2b7
APACHE_1_2b8
APACHE_1_2b9
APACHE_1_3_PRE_NT
APACHE_1_3a1
APACHE_1_3b1
APACHE_1_3b2
APACHE_1_3b3
APACHE_1_3b5
APACHE_1_3b6
APACHE_1_3b7
APACHE_2_0_2001_02_09
APACHE_2_0_52_WROWE_RC1
APACHE_2_0_ALPHA
APACHE_2_0_ALPHA_2
APACHE_2_0_ALPHA_3
APACHE_2_0_ALPHA_4
APACHE_2_0_ALPHA_5
APACHE_2_0_ALPHA_6
APACHE_2_0_ALPHA_7
APACHE_2_0_ALPHA_8
APACHE_2_0_ALPHA_9
APACHE_2_0_BETA_CANDIDATE_1
APACHE_BIG_SYMBOL_RENAME_POST
APACHE_BIG_SYMBOL_RENAME_PRE
CHANGES
HTTPD_LDAP_1_0_0
INITIAL
MOD_SSL_2_8_3
PCRE_3_9
POST_APR_SPLIT
PRE_APR_CHANGES
STRIKER_2_0_51_RC1
STRIKER_2_0_51_RC2
STRIKER_2_1_0_RC1
WROWE_2_0_43_PRE1
apache-1_3-merge-1-post
apache-1_3-merge-1-pre
apache-1_3-merge-2-post
apache-1_3-merge-2-pre
apache-apr-merge-3
apache-doc-split-01
dg_last_1_2_doc_merge
djg-apache-nspr-07
djg_nspr_split
moving_to_httpd_module
mpm-3
mpm-merge-1
mpm-merge-2
post_ajp_proxy
pre_ajp_proxy
candidate-2.*
candidate-2.4.49
candidate-2.4.49-rc1
candidate-2.4.50-rc1
candidate-2.4.51-rc1
candidate-2.4.52-rc1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41773.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "34"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "35"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "17.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "17.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "17.3"
            }
        ]
    }
]