mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Information
Published : 2014-12-29 15:59
Updated : 2023-02-12 16:42
NVD link : CVE-2014-8109
Mitre link : CVE-2014-8109
JSON object : View
CWE
CWE-863
Incorrect Authorization
Products Affected
apache
- http_server
canonical
- ubuntu_linux
oracle
- enterprise_manager_ops_center
fedoraproject
- fedora