CVE-2021-42013
Published: 07 October 2021
Summary
CVE-2021-42013 is a critical-severity Path Traversal (CWE-22) vulnerability in Oracle Instantis Enterprisetrack. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2021-42013 is a path traversal vulnerability affecting Apache HTTP Server versions 2.4.49 and 2.4.50. It stems from an incomplete fix for the earlier CVE-2021-41773 issue, allowing crafted URLs to map requests to files outside directories defined by Alias-like directives. When such files lack the default "require all denied" protection and CGI scripts are enabled on the aliased paths, the flaw can lead to unauthorized file access or remote code execution. The vulnerability carries a CVSS v3.1 score of 9.8 and is also associated with CWE-22.
Unauthenticated remote attackers can exploit the issue over the network by sending specially formed HTTP requests that bypass directory restrictions. Successful exploitation grants access to sensitive files on the server or, in configurations permitting CGI execution, arbitrary command execution with the privileges of the web server process.
Public references, including JVN advisory JVN51106450 and multiple PacketStorm entries, document exploit code and technical details for Apache 2.4.49/2.4.50, confirming active research and proof-of-concept availability shortly after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-29001
Vulnerability details
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these…
more
directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces directory and file access policies so that requests traversing outside Alias-defined paths are denied before files or CGI scripts can be reached.
Requires validation of URL inputs to reject path-traversal sequences that attempt to escape configured directories.
Mandates secure baseline settings such as 'require all denied' for non-Alias paths and disabling CGI on aliased directories, eliminating the conditions the CVE exploits.