Apache HTTP Server 2.3.x / 2.4.x < 2.4.12 Authorization Bypass
Medium Nessus Network Monitor Plugin ID 8587
SynopsisThe remote web server may be affected by an authorization bypass vulnerability.
DescriptionVersions of Apache HTTP Server 2.3.x / 2.4.x prior to 2.4.12 are affected by an authorization bypass vulnerability because of insufficient authorization enforcement in LuaAuthzProvider. Specifically, this issue affects the 'mod_lua.c' module when LuaAuthzProvider is used in multiple Require directives with different arguments. Attackers can exploit this issue using readily available tools to obtain sensitive information that may aid in further attacks.
SolutionUpgrade to Apache HTTP Server version 2.4.12 or later. Alternatively, you can apply the changes from the available diff patch for 'mod_lua.c' available from the Apache bug report page.