Attacker Value

Unknown

Apache HTTPd 2.4.49/2.4.50 路径穿越漏洞

Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

Apache HTTPd 2.4.49/2.4.50 路径穿越漏洞

Last updated October 11, 2021

CVE-2021-42013

Exploited in the Wild

Reported by gwillcox-r7
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Metasploit Module

auxiliary/scanner/http/apache_normalize_path

exploit/multi/http/apache_normalize_path_rce

Description

Apache HTTPd是Apache基金会开源的一款流行的HTTP服务器。
2021年10月8日Apache HTTPd官方发布安全更新，披露了CVE-2021-42013 Apache HTTPd 2.4.49/2.4.50 路径穿越漏洞。由于对CVE-2021-41773 Apache HTTPd 2.4.49 路径穿越漏洞的修复不完善，攻击者可构造恶意请求绕过布丁，利用穿越漏洞读取到Web目录之外的其他文件。同时若Apache HTTPd开启了cgi支持，攻击者可构造恶意请求执行命令，控制服务器。阿里云应急响应中心提醒 Apache HTTPd 用户尽快采取安全措施阻止漏洞攻击。

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

Metasploit Modules

auxiliary/scanner/http/apache_normalize_path (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/apache_normalize_path.rb)

exploit/multi/http/apache_normalize_path_rce (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_normalize_path_rce.rb)

Exploited in the Wild

Reported by:

gwillcox-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: June 14, 2022 9:33pm UTC (2 years ago)

References

Canonical

CVE-2021-42013 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

CVE-2021-42013 (https://github.com/rafifdna/CVE-2021-42013) (Added by AKB Worker)

Rapid7

Unknown