Cyber Resilience

CVE-2021-41773

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 05 October 2021

Published
05 October 2021
Modified
17 February 2026
KEV Added
03 November 2021
Patch
11 October 2021
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9439 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-41773 is a critical-severity Path Traversal (CWE-22) vulnerability in Oracle Instantis Enterprisetrack. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A flaw exists in path normalization logic introduced in Apache HTTP Server 2.4.49 that permits path traversal. The affected component is the core request-handling code responsible for mapping URLs to filesystem locations when Alias-like directives are in use. The vulnerability is tracked as CVE-2021-41773, carries a CVSS 3.1 score of 9.8, and is classified under CWE-22.

An unauthenticated remote attacker can supply a crafted URL containing directory-traversal sequences to reach files outside the directories explicitly configured by Alias directives. When those files lack the default “require all denied” protection, the server returns their contents; if CGI scripting is also enabled for the aliased paths, the same traversal can be used to execute arbitrary commands, resulting in full remote code execution. The flaw is present only in version 2.4.49 and does not affect earlier releases.

Public exploit code for both path traversal and remote code execution has been published, and the issue is confirmed to have been exploited in the wild. The initial remediation shipped in 2.4.50 was later determined to be incomplete, leading to the follow-on vulnerability CVE-2021-42013.

EU & UK References

Vulnerability details

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of…

more

these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
http server
2.4.49
fedoraproject
fedora
34, 35
oracle
instantis enterprisetrack
17.1, 17.2, 17.3
netapp
cloud backup
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Rejects crafted URLs containing directory-traversal sequences before Apache's flawed path-normalization logic can map them outside Alias directories.

prevent

Enforces the configured 'require all denied' policy on files outside explicitly aliased paths, blocking both disclosure and CGI-based RCE even if traversal occurs.

prevent

Disables unnecessary CGI scripting on aliased paths and removes non-essential server features that would otherwise turn a traversal into remote code execution.

References