4.3

CVE-2014-8109

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheHTTP Server Version2.4.1
ApacheHTTP Server Version2.4.2
ApacheHTTP Server Version2.4.3
ApacheHTTP Server Version2.4.4
ApacheHTTP Server Version2.4.6
ApacheHTTP Server Version2.4.7
ApacheHTTP Server Version2.4.9
ApacheHTTP Server Version2.4.10
CanonicalUbuntu Linux Version10.04 SwEdition-
CanonicalUbuntu Linux Version12.04 SwEdition-
CanonicalUbuntu Linux Version14.04 SwEditionesm
CanonicalUbuntu Linux Version14.10
FedoraprojectFedora Version21
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 22.02% 0.974
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
Broken Link
Mailing List
https://support.apple.com/kb/HT205031
Third Party Advisory
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
Third Party Advisory
https://lists.apache.org/thread.html/r83109088737656fa6307bd99ab40f8ff0269ae58d3f7272d7048494a%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html
Broken Link
Mailing List
https://support.apple.com/HT205219
Third Party Advisory
http://www.ubuntu.com/usn/USN-2523-1
Third Party Advisory
https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E
http://advisories.mageia.org/MGASA-2015-0011.html
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159352.html
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2014/11/28/5
Third Party Advisory
Mailing List
http://www.securityfocus.com/bid/73040
Third Party Advisory
VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1174077
Patch
Third Party Advisory
Issue Tracking
https://github.com/apache/httpd/commit/3f1693d558d0758f829c8b53993f1749ddf6ffcb
Patch
Third Party Advisory
https://issues.apache.org/bugzilla/show_bug.cgi?id=57204
Vendor Advisory
Issue Tracking