Apache HTTP Server 2.4.49/2.4.50 Remote Code Execution (CVE-2021-42013)
Overview
Apache HTTP Server 2.4.49/2.4.50 Remote Code Execution, tracked as CVE-2021-42013, affects specific Apache HTTP Server releases where a path traversal weakness can escape the intended document or alias directories. The issue is especially important because it was an incomplete fix for CVE-2021-41773 and was actively exploited shortly after disclosure.
Vulnerability Overview
CVE-2021-42013 exists because the Apache HTTP Server 2.4.50 fix for CVE-2021-41773 did not fully prevent path traversal. An attacker can craft URL paths that map outside directories configured by Alias-like directives. If the target files are not protected by the normal require all denied configuration, the traversal request can succeed.
Remote code execution becomes possible when CGI scripts are enabled for the affected mapped paths. In that configuration, the vulnerability is more than file disclosure: it can allow attacker-controlled requests to reach executable server-side behavior.
Impact
The vulnerability is rated Critical with a CVSS 3.1 score of 9.8. Successful exploitation can expose files outside the intended web root and, when CGI execution is enabled, allow unauthenticated remote code execution on the server.
CVE-2021-42013 is listed in the CISA Known Exploited Vulnerabilities catalog, so it should be treated as a practical internet-facing risk rather than only a theoretical misconfiguration case.
Vulnerability Scope
The affected Apache HTTP Server versions are 2.4.49 and 2.4.50. Earlier versions are not affected by this specific issue, and fixed deployments should upgrade beyond the vulnerable releases according to Apache guidance.
The highest-risk systems are public Apache servers running the affected versions with Alias-like mappings, insufficient access controls on mapped directories, and CGI execution enabled.
Lab Focus
This Hackviser lab focuses on understanding how path normalization mistakes in a web server can become file access and remote code execution issues. You will practice recognizing affected Apache HTTP Server versions, tracing the relationship between path traversal and CGI execution, and connecting the CVE details to practical server hardening.