4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
59.5%
mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x
through 2.4.10 does not support an httpd configuration in which the same
Lua authorization provider is used with different arguments within
different contexts, which allows remote attackers to bypass intended access
restrictions in opportunistic circumstances by leveraging multiple Require
directives, as demonstrated by a configuration that specifies authorization
for one group to access a certain directory, and authorization for a second
group to access a second directory.
Author | Note |
---|---|
mdeslaur | mod_lua is in 2.4.x only mod_lua isn’t built in trusty |