CVE-2014-8109

EPSS 17.55%
Published 29.12.2014 23:59:00
Last modified 12.04.2025 10:46:40
Source secalert@redhat.com
Teams watchlist Login
Open Login

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.

Affected products Warnungen 0 Metrics 2 CWE 1 References 28

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ HTTP Server Version2.4.1

Apache ≫ HTTP Server Version2.4.2

Apache ≫ HTTP Server Version2.4.3

Apache ≫ HTTP Server Version2.4.4

Apache ≫ HTTP Server Version2.4.6

Apache ≫ HTTP Server Version2.4.7

Apache ≫ HTTP Server Version2.4.9

Apache ≫ HTTP Server Version2.4.10

Canonical ≫ Ubuntu Linux Version10.04 SwEdition-

Canonical ≫ Ubuntu Linux Version12.04 SwEdition-

Canonical ≫ Ubuntu Linux Version14.04 SwEditionesm

Canonical ≫ Ubuntu Linux Version14.10

Fedoraproject ≫ Fedora Version21

Oracle ≫ Enterprise Manager Ops Center Version < 12.1.4

Oracle ≫ Enterprise Manager Ops Center Version12.2.0

Oracle ≫ Enterprise Manager Ops Center Version12.2.1

Oracle ≫ Enterprise Manager Ops Center Version12.3.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	17.55%	0.948

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E

http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html

Broken Link

Mailing List

https://support.apple.com/kb/HT205031

Third Party Advisory

https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E