Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/3659?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/3659?format=api", "vulnerability_id": "VCID-3c4z-fnu7-h3af", "summary": "directory traversal", "aliases": [ { "alias": "CVE-2021-42013" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1524?format=api", "purl": "pkg:alpm/archlinux/apache@2.4.51-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/apache@2.4.51-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/75018?format=api", "purl": "pkg:apache/httpd@2.4.51", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1dng-z415-n3cp" }, { "vulnerability": "VCID-vztc-xrcf-x7bk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apache/httpd@2.4.51" }, { "url": "http://public2.vulnerablecode.io/api/packages/88160?format=api", "purl": "pkg:deb/debian/apache2@0?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@0%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/88240?format=api", "purl": "pkg:deb/debian/apache2@2.4.51-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.51-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/88145?format=api", "purl": "pkg:deb/debian/apache2@2.4.62-1~deb11u1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-urh9-bae6-1yc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.62-1~deb11u1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/88143?format=api", "purl": "pkg:deb/debian/apache2@2.4.67-1~deb12u2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-urh9-bae6-1yc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.67-1~deb12u2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/88148?format=api", "purl": "pkg:deb/debian/apache2@2.4.67-1~deb13u2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-urh9-bae6-1yc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.67-1~deb13u2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/88146?format=api", "purl": "pkg:deb/debian/apache2@2.4.67-1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-urh9-bae6-1yc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.67-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/88147?format=api", "purl": "pkg:deb/debian/apache2@2.4.67-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.67-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/192936?format=api", "purl": "pkg:ebuild/app-admin/apache-tools@2.4.54", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:ebuild/app-admin/apache-tools@2.4.54" }, { "url": "http://public2.vulnerablecode.io/api/packages/192937?format=api", "purl": "pkg:ebuild/www-servers/apache@2.4.54", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:ebuild/www-servers/apache@2.4.54" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1523?format=api", "purl": "pkg:alpm/archlinux/apache@2.4.50-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3c4z-fnu7-h3af" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/apache@2.4.50-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/75016?format=api", "purl": "pkg:apache/httpd@2.4.49", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3c4z-fnu7-h3af" }, { "vulnerability": "VCID-fzbd-mhtw-eybp" }, { "vulnerability": "VCID-p4z4-22k5-kqam" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apache/httpd@2.4.49" }, { "url": "http://public2.vulnerablecode.io/api/packages/75017?format=api", "purl": "pkg:apache/httpd@2.4.50", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3c4z-fnu7-h3af" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apache/httpd@2.4.50" } ], "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-42013.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-42013.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-42013", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.9441", "scoring_system": "epss", "scoring_elements": "0.99979", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-42013" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011900", "reference_id": "2011900", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011900" }, { "reference_url": "https://security.archlinux.org/ASA-202110-1", "reference_id": "ASA-202110-1", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202110-1" }, { "reference_url": "https://security.archlinux.org/AVG-2450", "reference_id": "AVG-2450", "reference_type": "", "scores": [ { "value": "Critical", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2450" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/50406.sh", "reference_id": "CVE-2021-42013", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/50406.sh" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/50446.sh", "reference_id": "CVE-2021-42013", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/50446.sh" }, { "reference_url": "https://httpd.apache.org/security/json/CVE-2021-42013.json", "reference_id": "CVE-2021-42013", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "apache_httpd", "scoring_elements": "" } ], "url": "https://httpd.apache.org/security/json/CVE-2021-42013.json" }, { "reference_url": "https://security.gentoo.org/glsa/202208-20", "reference_id": "GLSA-202208-20", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202208-20" } ], "weaknesses": [ { "cwe_id": 22, "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "description": "The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory." } ], "exploits": [ { "date_added": null, "description": "This module exploit an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773).\n If files outside of the document root are not protected by 'require all denied' and CGI has been explicitly enabled,\n it can be used to execute arbitrary commands (Remote Command Execution).\n This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).", "required_action": null, "due_date": null, "notes": "Stability:\n - crash-safe\nReliability:\n - repeatable-session\nSideEffects:\n - ioc-in-logs\n - artifacts-on-disk\n", "known_ransomware_campaign_use": false, "source_date_published": "2021-05-10", "exploit_type": null, "platform": "Linux,Unix", "source_date_updated": null, "data_source": "Metasploit", "source_url": "https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/apache_normalize_path_rce.rb" }, { "date_added": "2021-11-03", "description": "Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under default require all denied or if CGI scripts are enabled. This CVE ID resolves an incomplete patch for CVE-2021-41773.", "required_action": "Apply updates per vendor instructions.", "due_date": "2021-11-17", "notes": "https://nvd.nist.gov/vuln/detail/CVE-2021-42013", "known_ransomware_campaign_use": true, "source_date_published": null, "exploit_type": null, "platform": null, "source_date_updated": null, "data_source": "KEV", "source_url": null }, { "date_added": "2021-11-11", "description": "Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)", "required_action": null, "due_date": null, "notes": null, "known_ransomware_campaign_use": true, "source_date_published": "2021-11-11", "exploit_type": "webapps", "platform": "multiple", "source_date_updated": "2022-04-19", "data_source": "Exploit-DB", "source_url": "" } ], "severity_range_score": "8.1 - 10.0", "exploitability": "0.5", "weighted_severity": "9.0", "risk_score": 4.5, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3c4z-fnu7-h3af" }