Information disclosure in Apache Http_server
CVE-2015-3184
mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before 1.8.14, when using Apache httpd 2.4.x, does not properly restrict anonymous access, which allows remote anonymous users to read hidden files via the path name.
Vulnerability class: Information Disclosure
EPSS: 0.170 (95.1th percentile) — read the EPSS interpretation.
Affected products
- Apache Http_server — versions 2.4.1, 2.4.2, 2.4.3
- Apache Subversion — versions 1.7.0, 1.7.1, 1.7.2
- Apple Xcode
- N/a — versions n/a
Weakness classification (CWE)
Public proof-of-concept exploits
References
- RHSA-2015:1742 (x_refsource_REDHAT, vendor-advisory)
- secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
- DSA-3331 (vendor-advisory, x_refsource_DEBIAN)
- openSUSE-SU-2015:1401 (vendor-advisory, x_refsource_SUSE)
- 76274 (vdb-entry, x_refsource_BID)
- USN-2721-1 (x_refsource_UBUNTU, vendor-advisory)
- 1033215 (vdb-entry, x_refsource_SECTRACK)
- APPLE-SA-2016-03-21-4 (vendor-advisory, x_refsource_APPLE)
- GLSA-201610-05 (vendor-advisory, x_refsource_GENTOO)
- secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
Frequently asked questions
- What is CVE-2015-3184?
- CVE-2015-3184 is a vulnerability in Apache Http_server, classified under Information Disclosure. Published 2015-08-12.
- Is CVE-2015-3184 known to be exploited?
- 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.