mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
07 Sep 2022, 17:44
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:apache:http_server:2.3.13:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.3.15:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:* cpe:2.3:a:apache:http_server:2.3.10:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.3.11:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.3.2:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.4.8:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.3.9:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.3.14:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* cpe:2.3:a:apache:http_server:2.3.6:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.3.5:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:* cpe:2.3:a:apache:http_server:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:* |
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:*:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:* cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.0:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:* |
CWE | CWE-863 | |
References | (MLIST) https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r83109088737656fa6307bd99ab40f8ff0269ae58d3f7272d7048494a@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2014/11/28/5 - Mailing List, Third Party Advisory | |
References | (APPLE) http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html - Broken Link, Mailing List | |
References | (CONFIRM) https://issues.apache.org/bugzilla/show_bug.cgi?id=57204 - Issue Tracking, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (UBUNTU) http://www.ubuntu.com/usn/USN-2523-1 - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (CONFIRM) http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html - Third Party Advisory | |
References | (CONFIRM) https://github.com/apache/httpd/commit/3f1693d558d0758f829c8b53993f1749ddf6ffcb - Patch, Third Party Advisory | |
References | (CONFIRM) https://support.apple.com/HT205219 - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (BID) http://www.securityfocus.com/bid/73040 - Third Party Advisory, VDB Entry | |
References | (CONFIRM) http://advisories.mageia.org/MGASA-2015-0011.html - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (APPLE) http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html - Broken Link, Mailing List | |
References | (MLIST) https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (CONFIRM) https://support.apple.com/kb/HT205031 - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (FEDORA) http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159352.html - Mailing List, Third Party Advisory | |
References | (CONFIRM) https://bugzilla.redhat.com/show_bug.cgi?id=1174077 - Issue Tracking, Patch, Third Party Advisory |
06 Jun 2021, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2014-12-29 23:59
Updated : 2024-02-04 18:35
NVD link : CVE-2014-8109
Mitre link : CVE-2014-8109
CVE.ORG link : CVE-2014-8109
JSON object : View
Products Affected
oracle
- enterprise_manager_ops_center
canonical
- ubuntu_linux
apache
- http_server
fedoraproject
- fedora
CWE
CWE-863
Incorrect Authorization