New Vulnerabilities Affecting Apache Server 2.4.49/2.4.50 – CVE-2021-41773 & CVE-2021-42013

Share :


On Tuesday, October 5, 2021, Apache released a patch advisory for CVE-2021-41773, a path traversal, and file disclosure vulnerability affecting Apache HTTP Server version 2.4.49. Following this patch release, security researchers identified a new remote code execution (RCE) vulnerability tracked as

CVE-2021-42013 was present in version 2.4.49 and also the newest version of 2.4.50. On October 7, 2021, Apache released version 2.4.51 of Apache HTTP Server which now fully remediates both vulnerabilities.


CVSS Score V3

CVSS Criticality






Path Traversal

Apache HTTP Server Path Traversal Vulnerability




Path Traversal & Remote Code Execution

Apache HTTP Server 2.4.49 and 2.4.50 Path Traversal


CVE-2021- 41773

CVE-2021-41773 was introduced into Apache HTTP Server by a change made to path normalization in version 2.4.49, which was released on September 15. This vulnerability only impacts Apache HTTP Server version 2.4.49 with the “require all denied” access control configuration disabled. According to the security advisory, CVE-2021-41773 has been exploited in the wild as a zero-day.

CVE-2021- 42013

CVE-2021-42013 builds upon CVE-2021-41773, a flaw that impacts Apache web servers running version 2.4.49 and involves a path normalization bug that could enable an adversary to access and view arbitrary files stored on a vulnerable server.

Solutions and Recommendations

First, you should determine if you are running at risk Apache HTTP Server Version 2.4.49 or 2.4.50. These vulnerabilities only affect version 2.4.49 or 2.4.50 of Apache HTTP Server running on either Windows or Linux. If you do not have any of these versions running in your network, then you are not at risk of these vulnerabilities.

For any identified Apache HTTP Servers on version 2.4.49 or 2.4.50, determine if it is configured with any of the below options that elevate the risk level of CVE-2021-41773 or CVE-2021-42013:

1. Pages are not protected by the Apache “Require” directive with the value of “all denied”

a. This elevates the risk of CVE-2021-41773

          2. In addition to #1, CGI scripts are also enabled for these aliased pages

a. This elevates the risk of CVE-2021-42013

          3. The Apache Server is exposed to the public internet

a. This makes the server a prime target for attacks as a threat actor would require no prior network access

If you have Apache HTTP Servers on version 2.4.49 or 2.4.50, upgrade to Apache HTTP Server Version 2.4.51.

Arctic Wolf recommends upgrading to this latest version of Apache HTTP Server to remediate all vulnerabilities. This latest version can be downloaded here:


Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.

Picture of Adrian Korn

Adrian Korn

Adrian Korn is a seasoned cyber security professional with 7+ years' experience in cyber threat intelligence, threat detection, and security operations. He currently serves as the Manager of Threat Intelligence Research at Arctic Wolf Labs. Adrian has been a guest speaker on intelligence related topics at numerous conferences around the world, including DEF CON's Recon Village, Hackfest, and the Australian OSINT Symposium.
Share :
Table of Contents
Subscribe to our Monthly Newsletter