CVE-2015-3185

CWE-264CWE-287Improper Authentication17 documents10 sources
Severity
4.3MEDIUM
EPSS
9.5%
top 7.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Apache Http ServerApple MAC OS XApple MAC OS X Server+2 more
Timeline
PublishedJul 20
Latest updateMay 13

Description

The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages6 packages

NVDapache/http_server12 versions+11
Debianapache2< 2.4.16-1+3
Ubuntuapache2< 2.4.7-1ubuntu4.5
NVDapple/xcode7.0

Also affects: Ubuntu Linux 12.04, 14.04, 15.04

🔴Vulnerability Details

5
GHSA
GHSA-5fv4-m5x3-j32p: The ap_some_auth_required function in server/request2022-05-13
OSV
php5 vulnerabilities2016-04-21
OSV
apache2 vulnerabilities2015-07-27
CVEList
CVE-2015-3185: The ap_some_auth_required function in server/request2015-07-20
OSV
CVE-2015-3185: The ap_some_auth_required function in server/request2015-07-20

📋Vendor Advisories

7
Ubuntu
Apache HTTP Server vulnerabilities2015-07-27
Red Hat
httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.42015-07-15
Debian
CVE-2015-3185: apache2 - The ap_some_auth_required function in server/request.c in the Apache HTTP Server...2015
Apple
CVE-2015-3185: Xcode 7.0
Apache
Apache httpd: CVE-2015-3185

💬Community

3
Bugzilla
CVE-2016-3185 php: Type confusion vulnerability in make_http_soap_request()2016-03-07
Bugzilla
CVE-2015-3185 CVE-2015-3183 CVE-2015-0253 httpd: various flaws [fedora-all]2015-07-16
Bugzilla
CVE-2015-3185 httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.42015-07-16