Cyber Resilience

CVE-2021-42013

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 07 October 2021

Published
07 October 2021
Modified
27 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9441 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-42013 is a critical-severity Path Traversal (CWE-22) vulnerability in Oracle Instantis Enterprisetrack. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2021-42013 is a path traversal vulnerability affecting Apache HTTP Server versions 2.4.49 and 2.4.50. It stems from an incomplete fix for the earlier CVE-2021-41773 issue, allowing crafted URLs to map requests to files outside directories defined by Alias-like directives. When such files lack the default "require all denied" protection and CGI scripts are enabled on the aliased paths, the flaw can lead to unauthorized file access or remote code execution. The vulnerability carries a CVSS v3.1 score of 9.8 and is also associated with CWE-22.

Unauthenticated remote attackers can exploit the issue over the network by sending specially formed HTTP requests that bypass directory restrictions. Successful exploitation grants access to sensitive files on the server or, in configurations permitting CGI execution, arbitrary command execution with the privileges of the web server process.

Public references, including JVN advisory JVN51106450 and multiple PacketStorm entries, document exploit code and technical details for Apache 2.4.49/2.4.50, confirming active research and proof-of-concept availability shortly after disclosure.

EU & UK References

Vulnerability details

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these…

more

directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
http server
2.4.49, 2.4.50
fedoraproject
fedora
34, 35
oracle
instantis enterprisetrack
17.1, 17.2, 17.3
oracle
jd edwards enterpriseone tools
≤ 9.2.6.0
oracle
secure backup
≤ 18.1.0.1.0
netapp
cloud backup
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces directory and file access policies so that requests traversing outside Alias-defined paths are denied before files or CGI scripts can be reached.

prevent

Requires validation of URL inputs to reject path-traversal sequences that attempt to escape configured directories.

prevent

Mandates secure baseline settings such as 'require all denied' for non-Alias paths and disabling CGI on aliased directories, eliminating the conditions the CVE exploits.

References