mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
21 Nov 2024, 02:18
Type | Values Removed | Values Added |
---|---|---|
References | () http://advisories.mageia.org/MGASA-2015-0011.html - Third Party Advisory | |
References | () http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html - Broken Link, Mailing List | |
References | () http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html - Broken Link, Mailing List | |
References | () http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159352.html - Mailing List, Third Party Advisory | |
References | () http://www.openwall.com/lists/oss-security/2014/11/28/5 - Mailing List, Third Party Advisory | |
References | () http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html - Third Party Advisory | |
References | () http://www.securityfocus.com/bid/73040 - Third Party Advisory, VDB Entry | |
References | () http://www.ubuntu.com/usn/USN-2523-1 - Third Party Advisory | |
References | () https://bugzilla.redhat.com/show_bug.cgi?id=1174077 - Issue Tracking, Patch, Third Party Advisory | |
References | () https://github.com/apache/httpd/commit/3f1693d558d0758f829c8b53993f1749ddf6ffcb - Patch, Third Party Advisory | |
References | () https://issues.apache.org/bugzilla/show_bug.cgi?id=57204 - Issue Tracking, Vendor Advisory | |
References | () https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/r83109088737656fa6307bd99ab40f8ff0269ae58d3f7272d7048494a%40%3Ccvs.httpd.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E - | |
References | () https://support.apple.com/HT205219 - Third Party Advisory | |
References | () https://support.apple.com/kb/HT205031 - Third Party Advisory |
Information
Published : 2014-12-29 23:59
Updated : 2024-11-21 02:18
NVD link : CVE-2014-8109
Mitre link : CVE-2014-8109
CVE.ORG link : CVE-2014-8109
JSON object : View
Products Affected
canonical
- ubuntu_linux
apache
- http_server
fedoraproject
- fedora
oracle
- enterprise_manager_ops_center
CWE
CWE-863
Incorrect Authorization