CVE - CVE-2014-8109

CVE-ID
CVE-2014-8109	Learn more at National Vulnerability Database (NVD) • Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
Description
mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MLIST:[oss-security] 20141128 CVE Request: "LuaAuthzProvider" in Apache HTTP Server mixes up arguments URL:http://www.openwall.com/lists/oss-security/2014/11/28/5 CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1174077 CONFIRM:https://github.com/apache/httpd/commit/3f1693d558d0758f829c8b53993f1749ddf6ffcb CONFIRM:https://issues.apache.org/bugzilla/show_bug.cgi?id=57204 CONFIRM:http://advisories.mageia.org/MGASA-2015-0011.html CONFIRM:https://support.apple.com/kb/HT205031 CONFIRM:https://support.apple.com/HT205219 CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html APPLE:APPLE-SA-2015-08-13-2 URL:http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html APPLE:APPLE-SA-2015-09-16-4 URL:http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html FEDORA:FEDORA-2015-9216 URL:http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159352.html UBUNTU:USN-2523-1 URL:http://www.ubuntu.com/usn/USN-2523-1 BID:73040 URL:http://www.securityfocus.com/bid/73040
Assigning CNA
N/A
Date Entry Created
20141010	Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20141010)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE list, which standardizes names for security problems.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org