CrowdSec
6/10CrowdSec Score

Apache HTTP Server - Path Traversal (CVE-2021-41773)

Published on05-10-2021
First seen on11-10-2021
CVSS 7.5/10Apache Software Foundation - Apache HTTP Server

16732Exploiting IPs reported

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

CrowdSec analysis

CVE-2021-41773 is a vulnerability in the Apache HTTP Server that allows attackers to carry out path traversal attacks, potentially enabling access to files outside of intended directories. If CGI scripts are present and enabled, exploitation could lead to remote code execution.

CrowdSec has been tracking this vulnerability and its exploits since 11th of October 2021.

CrowdSec network data shows that most actors exploiting CVE-2021-41773 rely on broad, untargeted scans with minimal filtering. The activity is largely automated and opportunistic in nature. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2021-41773 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2021-41773 is currently experiencing high visibility and active exploitation across the internet.

Attackers are observed probing for URL patterns containing /icons/.%2e/ or /cgi-bin/.%2e/ to exploit path traversal weaknesses.

Exploitation

Get real-time information about exploitation attempts and actors involved.

Detected IPs

Discover the IPs that targeted this vulnerability across the CrowdSec Network.

Common Weakness Enumeration (CWE)

Protection

Find out relevant information to protect your stack against this CVE.

Blocklist

With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.

To increase your protection against this CVE, block exploitation attempts with this list of identified actors.

References