oss-sec mailing list archives
Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
From: Yann Ylavic <ylavic.dev () gmail com>
Date: Sat, 16 Oct 2021 01:31:50 +0200
Hi Román, On Fri, Oct 15, 2021 at 8:01 PM Roman Medina-Heigl Hernandez <roman () rs-labs com> wrote:
Re [1], I think this: "critical: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)" is still misleading and should read: "critical: Path traversal and Remote Code Execution vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)"
I (for one) would argue that admins/vendors that ship a RCE-vulnerable custom configuration should reserve a CVE like this to notify their users. httpd does not, at least. Cheers; Yann.
Current thread:
- CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Stefan Eissing (Oct 07)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Roman Medina-Heigl Hernandez (Oct 07)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Yann Ylavic (Oct 08)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Solar Designer (Oct 08)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Yann Ylavic (Oct 08)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Solar Designer (Oct 08)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Yann Ylavic (Oct 08)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Roman Medina-Heigl Hernandez (Oct 09)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Yann Ylavic (Oct 11)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Roman Medina-Heigl Hernandez (Oct 15)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Yann Ylavic (Oct 15)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Yann Ylavic (Oct 08)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Roman Medina-Heigl Hernandez (Oct 07)