Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Apache HTTP Server 2.3.x / 2.4.x < 2.4.12 Authorization Bypass

Medium

Synopsis

The remote web server may be affected by an authorization bypass vulnerability.

Description

Versions of Apache HTTP Server 2.3.x / 2.4.x prior to 2.4.12 are affected by an authorization bypass vulnerability because of insufficient authorization enforcement in LuaAuthzProvider. Specifically, this issue affects the 'mod_lua.c' module when LuaAuthzProvider is used in multiple Require directives with different arguments. Attackers can exploit this issue using readily available tools to obtain sensitive information that may aid in further attacks.

Solution

Upgrade to Apache HTTP Server version 2.4.12 or later. Alternatively, you can apply the changes from the available diff patch for 'mod_lua.c' available from the Apache bug report page.