CVE-2015-3185 Information
Share on:Description
The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.
Reference
http://httpd.apache.org/security/vulnerabilities_24.html http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html http://rhn.redhat.com/errata/RHSA-2015-1666.html http://rhn.redhat.com/errata/RHSA-2015-1667.html http://rhn.redhat.com/errata/RHSA-2016-2957.html http://www.apache.org/dist/httpd/CHANGES_2.4 http://www.debian.org/security/2015/dsa-3325 http://www.securityfocus.com/bid/75965 http://www.securitytracker.com/id/1032967 http://www.ubuntu.com/usn/USN-2686-1 https://access.redhat.com/errata/RHSA-2017:2708 https://access.redhat.com/errata/RHSA-2017:2709 https://access.redhat.com/errata/RHSA-2017:2710 https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708 https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73 https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@3Ccvs.httpd.apache.org3E https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@3Ccvs.httpd.apache.org3E https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@3Ccvs.httpd.apache.org3E https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@3Ccvs.httpd.apache.org3E https://support.apple.com/HT205217 https://support.apple.com/HT205219 https://support.apple.com/kb/HT205031