mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
No history.
Information
Published : 2014-12-29 23:59
Updated : 2024-02-28 12:20
NVD link : CVE-2014-8109
Mitre link : CVE-2014-8109
CVE.ORG link : CVE-2014-8109
JSON object : View
Products Affected
fedoraproject
- fedora
canonical
- ubuntu_linux
oracle
- enterprise_manager_ops_center
apache
- http_server
CWE
CWE-863
Incorrect Authorization