Detections
Analytics

Apache HTTP Server 2.3.x / 2.4.x < 2.4.12 Authorization Bypass

low Nessus Network Monitor Plugin ID 8587

Synopsis

The remote web server may be affected by an authorization bypass vulnerability.

Description

Versions of Apache HTTP Server 2.3.x / 2.4.x prior to 2.4.12 are affected by an authorization bypass vulnerability because of insufficient authorization enforcement in LuaAuthzProvider. Specifically, this issue affects the 'mod_lua.c' module when LuaAuthzProvider is used in multiple Require directives with different arguments. Attackers can exploit this issue using readily available tools to obtain sensitive information that may aid in further attacks.

Solution

Upgrade to Apache HTTP Server version 2.4.12 or later. Alternatively, you can apply the changes from the available diff patch for 'mod_lua.c' available from the Apache bug report page.

See Also

http://www.nessus.org/u?86845b5e

http://www.nessus.org/u?6261dac5

http://www.apache.org/dist/httpd/Announcement2.4.html

Plugin Details

Severity: Low

ID: 8587

Family: Web Servers

Published: 2/4/2015

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:http_server

Patch Publication Date: 11/20/2014

Vulnerability Publication Date: 11/20/2014

Reference Information

CVE: CVE-2014-8109

BID: 71353