-
Notifications
You must be signed in to change notification settings - Fork 92
CVE 2015 3185
The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior. Since 2.4.x Require lines are used for authorization as well and can appear in configurations even when no authentication is required and the request is entirely unrestricted. This could lead to modules using this API to allow access when they should otherwise not do so. More details can be found on the main CVE page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3185.
- Reported: This vulnerability was reported on 2013-8-5 by Ben Reser http://httpd.apache.org/security/vulnerabilities_24.html
- Availability impact is PARTIAL
- Confidentiality and Integrity impact is NONE
- Base score: 2.6
- The vulnerability was introduced over a series of commits by Stefan Fritsch in 2010
- Fixed by: William A. Rowe Jr. (breser) Profile: https://github.com/wrowe
- Git Fix Hash: cd2b7a26c776b0754fb98426a67804fd48118708 https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708
- The fix consisted of changing things in 3 different areas: Changing the value of a constant system variable in file
app_mmn.h. Adding a hook that allows a module to force authn to be required when processing a request in the filehttp_request.h. This hook is also registered withap_hook_force_authn(). Adding another hook as well as a further function for authentication requirement from the request inrequest.c. Also by removing some faulty logic in determining correct authenticated access in the system and replacing it.
- http://www.cvedetails.com/cve/CVE-2015-3185/
- Changes in version 2.4: http://www.apache.org/dist/httpd/CHANGES_2.4