CVSS 3.1 Score 9.8 of 10 (high)


Published Oct 7, 2021
Updated: Nov 7, 2023


CVE-2021-42013 is a critical vulnerability that affects Apache HTTP Server versions 2.4.49 and 2.4.50. The fix for CVE-2021-41773 in these versions was found to be insufficient, allowing an attacker to perform a path traversal attack and access files outside of the directories specified by Alias-like directives. If the default configuration "require all denied" does not protect these files, the attacker can successfully execute their requests. Moreover, if CGI scripts are enabled for these aliased paths, remote code execution becomes possible. The potential danger posed by this vulnerability is high, as it can lead to unauthorized access to sensitive files and even allow attackers to execute arbitrary code on affected systems. Organizations using Apache HTTP Server should update to version 2.4.51 or apply the appropriate patches provided by the vendor to remediate this vulnerability and mitigate the associated risks.

Note: This summary is based on the information provided and does not reflect any personal opinions or biases.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2021-42013 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options