Lucene search

K
nvd[email protected]NVD:CVE-2014-8109
HistoryDec 29, 2014 - 11:59 p.m.

CVE-2014-8109

2014-12-2923:59:00
CWE-863
web.nvd.nist.gov
7

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

6.1

Confidence

High

EPSS

0.002

Percentile

61.3%

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.

Affected configurations

Nvd
Node
apachehttp_serverMatch2.4.1
OR
apachehttp_serverMatch2.4.2
OR
apachehttp_serverMatch2.4.3
OR
apachehttp_serverMatch2.4.4
OR
apachehttp_serverMatch2.4.6
OR
apachehttp_serverMatch2.4.7
OR
apachehttp_serverMatch2.4.9
OR
apachehttp_serverMatch2.4.10
Node
canonicalubuntu_linuxMatch10.04-
OR
canonicalubuntu_linuxMatch12.04-
OR
canonicalubuntu_linuxMatch14.04esm
OR
canonicalubuntu_linuxMatch14.10
Node
fedoraprojectfedoraMatch21
Node
oracleenterprise_manager_ops_centerRange<12.1.4
OR
oracleenterprise_manager_ops_centerMatch12.2.0
OR
oracleenterprise_manager_ops_centerMatch12.2.1
OR
oracleenterprise_manager_ops_centerMatch12.3.0
VendorProductVersionCPE
apachehttp_server2.4.1cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*
apachehttp_server2.4.2cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*
apachehttp_server2.4.3cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*
apachehttp_server2.4.4cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*
apachehttp_server2.4.6cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*
apachehttp_server2.4.7cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*
apachehttp_server2.4.9cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*
apachehttp_server2.4.10cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*
canonicalubuntu_linux10.04cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
canonicalubuntu_linux12.04cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
Rows per page:
1-10 of 171

References

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

6.1

Confidence

High

EPSS

0.002

Percentile

61.3%