Apache HTTP Server has been the world's most widely used open-source web server for over 25 years. Its massive internet presence makes it a constant target. Several critical vulnerabilities have marked its recent history, including some enabling remote code execution.
CVE-2021-41773 and CVE-2021-42013: Path Traversal and RCE (CVSS 9.8)
The Twin CVEs of October 2021
CVE-2021-41773 is a path traversal flaw in Apache HTTP Server 2.4.49. A defective path normalization allowed an attacker to traverse directories outside the web root using URL-encoded sequences.
GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
Condition: require all denied is not configured on the target directory, and mod_cgi is enabled for RCE.
CVE-2021-42013 is the bypass of CVE-2021-41773's patch. Apache attempted to fix the first flaw, but the patch was incomplete — CVE-2021-42013 bypassed the fix with double encoding.
GET /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/etc/passwd HTTP/1.1
Affected versions: Apache 2.4.49 (CVE-2021-41773), Apache 2.4.50 (CVE-2021-42013)
CVSS Score: 9.8
These two versions were released within a two-week window. Mass exploitation began within 24 hours of the CVE-2021-41773 patch publication.
CVE-2017-7679: Buffer Overflow in mod_mime (CVSS 9.8)
A buffer overflow in the mod_mime module enabling remote code execution via manipulated Content-Type HTTP headers. Affected Apache 2.2.x before 2.2.33 and 2.4.x before 2.4.26.
CVE-2024-38476: Information Disclosure via Backend Response (CVSS 9.1)
In 2024, a flaw in backend response handling allowed unintended local script execution in certain Apache httpd configurations used as a front-end proxy.
Dangerous Apache Configurations
Beyond CVEs, many default configurations or common mistakes expose Apache:
Directory Listing Enabled
# DANGEROUS — exposes file tree
Options Indexes FollowSymLinks
# CORRECT — disable listing
Options -Indexes
Server Information Exposure
# DANGEROUS — reveals version and modules
ServerTokens Full
ServerSignature On
# CORRECT — hide information
ServerTokens Prod
ServerSignature Off
mod_status Publicly Exposed
# DANGEROUS
<Location /server-status>
SetHandler server-status
</Location>
# CORRECT — restrict to internal IPs
<Location /server-status>
SetHandler server-status
Require ip 127.0.0.1 10.0.0.0/8
</Location>
Securing Apache HTTP Server
1. Update Regularly
# Check version
apache2 -v
# or
httpd -v
# Update Debian/Ubuntu
apt-get update && apt-get upgrade apache2
# Update CentOS/RHEL
yum update httpd
2. Disable Unnecessary Modules
# List active modules
apache2ctl -M
# Disable a module
a2dismod autoindex # disables directory listing
a2dismod status # disables server-status
a2dismod cgi # disables CGI if not used
3. Configure HTTP Security Headers
# Add to Apache config or .htaccess
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options SAMEORIGIN
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Content-Security-Policy "default-src 'self'"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
4. Restrict Access to Sensitive Files
# Block access to configuration files
<FilesMatch "\.(htaccess|htpasswd|env|ini|conf|bak|sql|log)$">
Require all denied
</FilesMatch>
# Block access to version control directories
<DirectoryMatch "/(\.git|\.svn|\.hg)">
Require all denied
</DirectoryMatch>
5. Limit HTTP Methods
<Directory "/var/www/html">
# Only allow GET, POST, HEAD
<LimitExcept GET POST HEAD>
Require all denied
</LimitExcept>
</Directory>
6. Enable ModSecurity (WAF)
# Install ModSecurity
apt-get install libapache2-mod-security2
# Enable OWASP CRS rules
apt-get install modsecurity-crs
Check Apache CVEs for your version on cveo.tech — search for apache http server for the complete history.