CVE-2021-42013
Description
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.
Severity: CRITICAL
CVE ID: CVE-2021-42013
CVSS Score: 9.8
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Proof Of Concept
Nuclei Templates for CVE-2021-42013
Refrence: Project Discovery GitHub
andrea-mattioli
Exploit with integrated shodan search
Refrence: GitHub
Vulnmachines
Apache 2.4.50 Path traversal vulnerability
Refrence: GitHub
twseptian
Docker container lab to play/learn with CVE-2021-42013
Refrence: GitHub
LayarKacaSiber
Refrence: GitHub
TheLastVvV
Poc CVE-2021-42013 - Apache 2.4.50 without CGI
Refrence: GitHub
TheLastVvV
PoC CVE-2021-42013 reverse shell Apache 2.4.50 with CGI
Refrence: GitHub
walnutsecurity
cve-2021-42013.py is a python script that will help in finding Path Traversal or Remote Code Execution vulnerability in Apache 2.4.50
Refrence: GitHub
robotsense1337
Exploit Apache 2.4.50(CVE-2021-42013)
Refrence: GitHub
xMohamed0
Refrence: GitHub
asaotomo
Apache 远程代码执行 (CVE-2021-42013)批量检测工具:Apache HTTP Server是美国阿帕奇(Apache)基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点,发现 Apache HTTP Server 2.4.50 中针对 CVE-2021-41773 的修复不够充分。攻击者可以使用路径遍历攻击将 URL 映射到由类似别名的指令配置的目录之外的文件。如果这些目录之外的文件不受通常的默认配置“要求全部拒绝”的保护,则这些请求可能会成功。如果还为这些别名路径启用了 CGI 脚本,则这可能允许远程代码执行。此问题仅影响 Apache 2.4.49 和 Apache 2.4.50,而不影响更早版本。
Refrence: GitHub
rnsss
CVE-2021-42013-exp
Refrence: GitHub
jas9reet
Apache HTTP Server 2.4.50 - RCE Lab
Refrence: GitHub
tangxiaofeng7
CVE-2021-42013批量
Refrence: GitHub
mauricelambert
These Nmap, Python and Ruby scripts detects and exploits CVE-2021-42013 with RCE and local file disclosure.
Refrence: GitHub
honypot
Refrence: GitHub
Adashz
Refrence: GitHub
hadrian3689
CVE-2021-42013 - Apache 2.4.50
Refrence: GitHub
viliuspovilaika
Exploit for Apache 2.4.50 (CVE-2021-42013)
Refrence: GitHub
mightysai1997
Refrence: GitHub
mightysai1997
Refrence: GitHub
mightysai1997
Refrence: GitHub
12345qwert123456
Vulnerable configuration Apache HTTP Server version 2.4.49/2.4.50
Refrence: GitHub
cybfar
CVE: 2021-42013 Tested on: 2.4.49 and 2.4.50 Description: Path Traversal or Remote Code Execution vulnerabilities in Apache 2.4.49 and 2.4.50
Refrence: GitHub
vudala
Exploring CVE-2021-42013, using Suricata and OpenVAS to gather info
Refrence: GitHub
birdlinux
Apache 2.4.50 Automated Remote Code Execution and Path traversal
Refrence: GitHub
Hamesawian
Refrence: GitHub
K3ysTr0K3R
A PoC exploit for CVE-2021-42013 - Apache 2.4.49 & 2.4.50 Remote Code Execution
Refrence: GitHub
imhunterand
Refrence: GitHub
BassoNicolas
CVE-2021-42013 Vulnerability Scanner This Python script checks for the Remote Code Execution (RCE) vulnerability (CVE-2021-42013) in Apache 2.4.50.
Refrence: GitHub
Content on GitHub
inbug-team | watchers:148
CVE-2021-41773_CVE-2021-42013
CVE-2021-41773 CVE-2021-42013漏洞批量检测工具
Refrence: GitHub
MrCl0wnLab | watchers:60
SimplesApachePathTraversal
Tool check: CVE-2021-41773, CVE-2021-42013, CVE-2020-17519
Refrence: GitHub
Ls4ss | watchers:22
CVE-2021-41773_CVE-2021-42013
Apache HTTP Server 2.4.49, 2.4.50 - Path Traversal & RCE
Refrence: GitHub
im-hanzou | watchers:22
apachrot
Apache (Linux) CVE-2021-41773/2021-42013 Mass Vulnerability Checker
Refrence: GitHub
theLSA | watchers:8
apache-httpd-path-traversal-checker
apache httpd path traversal checker(CVE-2021-41773 / CVE-2021-42013)
Refrence: GitHub
Zeop-CyberSec | watchers:13
apache_normalize_path
Metasploit-Framework modules (scanner and exploit) for the CVE-2021-41773 and CVE-2021-42013 (Path Traversal in Apache 2.4.49/2.4.50)
Refrence: GitHub
5gstudent | watchers:4
cve-2021-41773-and-cve-2021-42013
cve-2021-41773 即 cve-2021-42013 批量检测脚本
Refrence: GitHub
CalfCrusher | watchers:5
Path-traversal-RCE-Apache-2.4.49-2.4.50-Exploit
CVE-2021-41773 | CVE-2021-42013 Exploit Tool (Apache/2.4.49-2.4.50)
Refrence: GitHub
wangfly-me | watchers:14
Apache_Penetration_Tool
CVE-2021-41773&CVE-2021-42013图形化漏洞检测利用工具
Refrence: GitHub
OfriOuzan | watchers:4
CVE-2021-41773_CVE-2021-42013_Exploits
Exploit CVE-2021-41773 and CVE-2021-42013
Refrence: GitHub
cgddgc | watchers:5
CVE-2021-41773-42013
Refrence: GitHub
zerodaywolf | watchers:1
CVE-2021-41773_42013
Lab setup for CVE-2021-41773 (Apache httpd 2.4.49) and CVE-2021-42013 (Apache httpd 2.4.50).
Refrence: GitHub
Hydragyrum | watchers:5
CVE-2021-41773-Playground
Some docker images to play with CVE-2021-41773 and CVE-2021-42013
Refrence: GitHub
blackn0te | watchers:4
Apache-HTTP-Server-2.4.49-2.4.50-Path-Traversal-Remote-Code-Execution
Apache HTTP-Server 2.4.49-2.4.50 Path Traversal & Remote Code Execution PoC (CVE-2021-41773 & CVE-2021-42013)
Refrence: GitHub
corelight | watchers:1
CVE-2021-41773
A Zeek package which raises notices for Path Traversal/RCE in Apache HTTP Server 2.4.49 (CVE-2021-41773) and 2.4.50 (CVE-2021-42013)
Refrence: GitHub