CVE-2021-42013 Overview
CVE-2021-42013 is a critical path traversal vulnerability in Apache HTTP Server that was introduced as an incomplete fix for the earlier CVE-2021-41773 vulnerability. The flaw allows attackers to craft malicious URLs that bypass the intended directory restrictions, enabling access to files outside of directories configured by Alias-like directives. When combined with enabled CGI scripts on the affected paths, this vulnerability escalates to remote code execution, giving attackers complete control over the vulnerable server.
This vulnerability is particularly dangerous because it affects servers that were patched for CVE-2021-41773 with version 2.4.50, meaning administrators who believed they were protected remained vulnerable. The attack requires no authentication and can be executed remotely over the network, making it highly attractive to threat actors.
Critical Impact
This vulnerability is actively exploited in the wild and is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. It allows unauthenticated remote code execution on vulnerable Apache HTTP Server instances versions 2.4.49 and 2.4.50.
Affected Products
- Apache HTTP Server 2.4.49
- Apache HTTP Server 2.4.50
- Fedora 34 and 35 (with vulnerable Apache packages)
- Oracle Instantis EnterpriseTrack 17.1, 17.2, 17.3
- Oracle JD Edwards EnterpriseOne Tools
- Oracle Secure Backup
- NetApp Cloud Backup
Discovery Timeline
- 2021-10-07 - CVE-2021-42013 published to NVD
- 2025-10-27 - Last updated in NVD database
Technical Details for CVE-2021-42013
Vulnerability Analysis
The vulnerability stems from an insufficient fix for CVE-2021-41773, where the path normalization routine in Apache HTTP Server failed to properly handle double-URL-encoded path traversal sequences. While the original fix addressed single-encoded traversal attempts (e.g., %2e%2e), it did not account for double-encoded variants that bypass the initial decoding pass.
The path traversal mechanism allows attackers to escape the web root directory and access arbitrary files on the system. When the server has mod_cgi enabled and the traversed path allows CGI execution, attackers can leverage this to execute arbitrary commands on the underlying operating system. This vulnerability requires no privileges and can be exploited by any network-accessible client.
The impact of successful exploitation includes unauthorized file access, data exfiltration, and in the worst case, full system compromise through remote code execution. Organizations running vulnerable versions should consider this an emergency patching priority.
Root Cause
The root cause is inadequate input validation in the URL path normalization routine. The fix for CVE-2021-41773 only decoded and validated paths at a single level, failing to recursively decode or detect double-encoded traversal sequences. Attackers discovered that encoding the path separator and dot characters twice (e.g., .%%32%65/ instead of ../) would bypass the first decoding pass and be decoded to a traversal sequence on the second pass, after validation had already occurred.
The server's Alias directive processing trusted the normalized path without verifying that subsequent decoding wouldn't produce path traversal sequences. This represents a classic case of insufficient defense-in-depth in path canonicalization.
Attack Vector
The attack is conducted remotely over the network without requiring authentication. An attacker sends an HTTP request with a specially crafted URL containing double-URL-encoded path traversal sequences targeting the /cgi-bin directory or other aliased paths.
The attack flow operates as follows: The attacker identifies a vulnerable Apache server running version 2.4.49 or 2.4.50. They then craft a request with double-encoded traversal sequences such as .%%32%65/ to escape the document root. If directory protections are misconfigured (lacking require all denied), they can read arbitrary files. If CGI is enabled on the traversed path, they can achieve command execution by targeting the cgi-bin handler with shell commands passed via POST data or query parameters.
The exploitation is straightforward and requires minimal skill, with multiple public proof-of-concept exploits available. The Packet Storm Exploit Archive contains several working examples demonstrating both file read and RCE variants.
Detection Methods for CVE-2021-42013
Indicators of Compromise
- HTTP access logs containing double-URL-encoded sequences such as .%%32%65, .%%32e, or %%2e%2e in request URIs
- Requests targeting /cgi-bin/ paths with unusual traversal patterns attempting to access /bin/sh, /bin/bash, or other system binaries
- POST requests to CGI handlers containing shell metacharacters or command execution patterns
- Evidence of file access outside the web document root in server error logs
- Unusual process spawning from the Apache httpd parent process
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block double-URL-encoded path traversal sequences in HTTP requests
- Implement log analysis to identify requests containing suspicious encoded patterns such as %25, %%32, and %%65 combinations
- Monitor for unexpected child processes spawned by the Apache httpd process, particularly shell interpreters
- Use SentinelOne Singularity to detect behavioral indicators of post-exploitation activity including reverse shells and lateral movement
Monitoring Recommendations
- Enable verbose Apache access logging and retain logs for forensic analysis with focus on request URIs and response codes
- Configure alerts for any 200 OK responses to requests containing encoded traversal sequences
- Monitor network traffic for outbound connections from the web server to unusual destinations which may indicate reverse shell activity
- Implement file integrity monitoring on critical system directories that should not be accessible via the web server
How to Mitigate CVE-2021-42013
Immediate Actions Required
- Upgrade Apache HTTP Server immediately to version 2.4.51 or later which contains the complete fix for both CVE-2021-41773 and CVE-2021-42013
- Verify that the default require all denied configuration is applied to all directories outside the intended web root
- Disable CGI execution if not required for business operations to reduce the attack surface
- Deploy WAF rules to block double-encoded path traversal attempts as an additional defense layer
- Review Apache access logs for indicators of compromise before assuming the system is clean
Patch Information
Apache released version 2.4.51 to address this vulnerability. The fix properly handles all URL encoding variants during path normalization, preventing both single and double-encoded traversal attempts. Administrators should update immediately using their distribution's package manager or by downloading from the Apache HTTP Server Security Advisories page.
Multiple vendor-specific patches are available including Oracle's Critical Patch Update from January 2022 and Oracle's April 2022 CPU for affected Oracle products. The NetApp Security Advisory provides guidance for NetApp Cloud Backup users.
Workarounds
- Apply strict require all denied directives to all directories outside the document root in your Apache configuration
- Disable mod_cgi and mod_cgid modules if CGI functionality is not required for your application
- Implement network-level access controls to restrict access to the Apache server from untrusted networks
- Deploy a reverse proxy or WAF in front of Apache to filter malicious requests before they reach the vulnerable server
- Consider running Apache in a containerized or chroot environment to limit the impact of successful exploitation
# Apache configuration hardening example
# Add to httpd.conf or apache2.conf
# Deny access to the entire filesystem by default
<Directory />
Require all denied
</Directory>
# Only allow access to the specific document root
<Directory "/var/www/html">
Require all granted
</Directory>
# Disable CGI if not needed
# Comment out or remove these lines:
# LoadModule cgi_module modules/mod_cgi.so
# LoadModule cgid_module modules/mod_cgid.so
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
