Vulnonym.com

CVE-2015-3185 - Enthralled Applicant

Description

The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.

Reference

http://httpd.apache.org/security/vulnerabilities_24.html http://www.apache.org/dist/httpd/CHANGES_2.4 https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708 http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html https://support.apple.com/kb/HT205031 http://www.ubuntu.com/usn/USN-2686-1 https://support.apple.com/HT205217 http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html https://support.apple.com/HT205219 http://www.securityfocus.com/bid/75965 http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html http://www.debian.org/security/2015/dsa-3325 http://rhn.redhat.com/errata/RHSA-2015-1667.html http://www.securitytracker.com/id/1032967 https://access.redhat.com/errata/RHSA-2017:2710 https://access.redhat.com/errata/RHSA-2017:2709 https://access.redhat.com/errata/RHSA-2017:2708 http://rhn.redhat.com/errata/RHSA-2016-2957.html http://rhn.redhat.com/errata/RHSA-2015-1666.html https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73 https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467@%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4@%3Ccvs.httpd.apache.org%3E