Auth bypass in Apache Http_server
CVE-2014-8109
mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which…
Vulnerability class: Broken Access Control
EPSS: 0.117 (93.8th percentile) — read the EPSS interpretation.
Affected products
- Apache Http_server — versions 2.4.1, 2.4.2, 2.4.3
- Oracle Enterprise_manager_ops_center — versions 12.2.0, 12.2.1, 12.3.0
- Canonical Ubuntu_linux — versions 10.04, 12.04, 14.04
- Fedoraproject Fedora — versions 21
- N/a — versions n/a
Weakness classification (CWE)
Public proof-of-concept exploits
References
- secalert@redhat.com (x_refsource_CONFIRM, Patch, Third Party Advisory)
- secalert@redhat.com (x_refsource_CONFIRM, Patch, Third Party Advisory, Issue Tracking)
- USN-2523-1 (x_refsource_UBUNTU, vendor-advisory, Third Party Advisory)
- secalert@redhat.com (x_refsource_CONFIRM, Third Party Advisory)
- [oss-security] 20141128 CVE Request: "LuaAuthzProvider" in Apache HTTP Server mixes up arguments (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
- 73040 (Third Party Advisory, VDB Entry, vdb-entry, x_refsource_BID)
- APPLE-SA-2015-08-13-2 (vendor-advisory, x_refsource_APPLE, Mailing List, Broken Link)
- secalert@redhat.com (x_refsource_CONFIRM, Third Party Advisory)
- secalert@redhat.com (x_refsource_CONFIRM, Issue Tracking, Vendor Advisory)
- secalert@redhat.com (x_refsource_CONFIRM, Third Party Advisory)
Frequently asked questions
- What is CVE-2014-8109?
- CVE-2014-8109 is a vulnerability in Apache Http_server, classified under Incorrect Authorization. Published 2014-12-29.
- Is CVE-2014-8109 known to be exploited?
- 6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.