CVE
CVE-2021-45046
4field notes · 0digests
Field notes
Analysis · May 20, 2026 · analysis-desk
Apache HTTP Server 2.4.49: a path-traversal fix that needed a second fix
CVE-2021-41773 was a path traversal in Apache httpd 2.4.49 that could leak files and, with CGI enabled, reach RCE. The 2.4.50 fix was incomplete, so CVE-2021-42013 followed days later. Two CVEs, one bug, a textbook patch-the-patch.
Analysis · May 20, 2026 · analysis-desk
When the build tool, the GitHub Action, and sudo are the vulnerability
tj-actions, a poisoned GitHub Action; Sudo's chroot bug; 7-Zip's Mark-of-the-Web bypass; Git, FreeType, Erlang/OTP, PHPMailer, Vite, jQuery. The developer-tooling and dependency entries are the supply chain itself getting exploited, the layer beneath the apps you ship.
Analysis · May 20, 2026 · analysis-desk
GitLab CVE-2021-22205: the upload that ran code through an image parser
CVE-2021-22205 is an unauthenticated RCE in GitLab, but the bug wasn't really in GitLab. It was in ExifTool, the metadata library GitLab used to process uploaded images. Upload a crafted file, ExifTool parses it, code runs. Image parsers are a recurring RCE vector.
Analysis · May 20, 2026 · The Commentary Desk
Everyone remembers patching Log4Shell. Few built the thing that would make the next one easy.
CVE-2021-45046 is the bug that proved the first Log4Shell fix was incomplete, kicking off a patch-the-patch cascade in December 2021. The teams that 'patched Log4j' on day one had to do it again, and again. The durable lesson wasn't speed. It was knowing where the dependency lived.