CVE-2014-8109 — Incorrect Authorization in Apache Http Server

CWE-863 — Incorrect Authorization12 documents10 sources

Severity

4.3MEDIUMNVD

EPSS

11.7%

top 6.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oracle Enterprise Manager OPS Center Apache Http Server Canonical Ubuntu Linux +1 more

Timeline

PublishedDec 29

Latest updateMay 13

Description

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorizat…

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶NVDapache/http_server8 versions+7

▶NVDoracle/enterprise_manager_ops_center< 12.1.4+3

Also affects: Fedora 21, Ubuntu Linux 10.04, 12.04, 14.04, 14.10

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-5m8h-wgcr-7x2w: mod_lua↗2022-05-13

▶

CVEList

CVE-2014-8109: mod_lua↗2014-12-29

▶

OSV

CVE-2014-8109: mod_lua↗2014-12-29

▶

📋Vendor Advisories

Ubuntu

Apache HTTP Server vulnerabilities↗2015-03-10

▶

Red Hat

httpd: LuaAuthzProvider argument handling issue↗2014-11-12

▶

Debian

CVE-2014-8109: apache2 - mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x throug...↗2014

▶

Apple

CVE-2014-8109: OS X Server v5.0.3↗

▶

Apple

CVE-2014-8109: OS X Yosemite v10.10.5 and Security Update 2015-006↗

▶

💬Community

Bugzilla

CVE-2014-8109 httpd: LuaAuthzProvider argument handling issue↗2014-12-15

▶

Bugzilla

CVE-2014-8109 httpd: LuaAuthzProvider argument handling issue [fedora-all]↗2014-12-15

▶