Apache HTTP Server 2.3.x / 2.4.x < 2.4.12 Authorization Bypass

Medium Nessus Network Monitor Plugin ID 8587

Synopsis

The remote web server may be affected by an authorization bypass vulnerability.

Description

Versions of Apache HTTP Server 2.3.x / 2.4.x prior to 2.4.12 are affected by an authorization bypass vulnerability because of insufficient authorization enforcement in LuaAuthzProvider. Specifically, this issue affects the 'mod_lua.c' module when LuaAuthzProvider is used in multiple Require directives with different arguments. Attackers can exploit this issue using readily available tools to obtain sensitive information that may aid in further attacks.

Solution

Upgrade to Apache HTTP Server version 2.4.12 or later. Alternatively, you can apply the changes from the available diff patch for 'mod_lua.c' available from the Apache bug report page.

See Also

http://www.nessus.org/u?86845b5e

http://www.nessus.org/u?6261dac5

http://www.apache.org/dist/httpd/Announcement2.4.html

Plugin Details

Severity: Medium

ID: 8587

Family: Web Servers

Published: 2015/02/04

Modified: 2016/01/21

Dependencies: 1442

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 4.3

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 5.3

Temporal Score: 4.9

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:http_server

Patch Publication Date: 2014/11/20

Vulnerability Publication Date: 2014/11/20

Reference Information

CVE: CVE-2014-8109

BID: 71353