CVE-2021-42013
CVSS 3.1 Score 9.8 of 10 (high)
Details
Summary
CVE-2021-42013: A new vulnerability was discovered in Apache HTTP Server 2.4.50, which is an insufficient fix for the previously addressed CVE-2021-41773. An attacker can exploit this path traversal issue to map URLs to files outside the configured directories using Alias-like directives. If files are not secured with the usual default configuration "require all denied," attackers can gain access to these files. Moreover, if CGI scripts are enabled for these aliased paths, it could lead to remote code execution. This vulnerability affects only Apache 2.4.49 and 2.4.50.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Oracle JD Edwards EnterpriseOne Tools
- Oracle Instantis Enterprisetrack
- Fedora Operating System
- Apache Software Foundation Apache HTTP Server
Affected Vendors
- Apache Software Foundation
- Fedora Project
- BonqDAO