Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2002-0061OS Command Injection in Apache Http Server

CWE-78OS Command InjectionCWE-42Path Equivalence: 'filename.' (Trailing Dot)6 documents6 sources
Severity
7.5HIGHNVD
EPSS
88.3%
top 0.50%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Apache Http Server
Timeline
PublishedMar 21
Latest updateApr 30

Description

Apache for Win32 before 1.3.24, and 2.0.x before 2.0.34-beta, allows remote attackers to execute arbitrary commands via shell metacharacters (a | pipe character) provided as arguments to batch (.bat) or .cmd scripts, which are sent unfiltered to the shell interpreter, typically cmd.exe.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

NVDapache/http_server2.0.02.0.34+1

🔴Vulnerability Details

2
GHSA
GHSA-6hq5-3246-pmqx: Apache for Win32 before 12022-04-30
CVEList
CVE-2002-0061: Apache for Win32 before 12003-04-02

💥Exploits & PoCs

1
Exploit-DB
Apache Win32 1.3.x/2.0.x - Batch File Remote Command Execution2002-03-21

📋Vendor Advisories

1
Red Hat
CVE-2002-0061: Apache for Win32 before 1

📐Framework References

1
CWE
Path Equivalence: 'filename.' (Trailing Dot)
CVE-2002-0061 — OS Command Injection in Apache | cvebase