CVE-2014-8109

Source
https://nvd.nist.gov/vuln/detail/CVE-2014-8109
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2014-8109.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2014-8109
Related
Published
2014-12-29T23:59:00Z
Modified
2024-09-18T01:00:21Z
Summary
[none]
Details

modlua.c in the modlua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.

References

Affected packages

Debian:11 / apache2

Package

Name
apache2
Purl
pkg:deb/debian/apache2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.10-9

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / apache2

Package

Name
apache2
Purl
pkg:deb/debian/apache2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.10-9

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / apache2

Package

Name
apache2
Purl
pkg:deb/debian/apache2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.10-9

Ecosystem specific

{
    "urgency": "not yet assigned"
}