mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.
References
Link Providers
http://advisories.mageia.org/MGASA-2015-0011.html cve-icon cve-icon
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html cve-icon cve-icon
http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159352.html cve-icon cve-icon
http://www.openwall.com/lists/oss-security/2014/11/28/5 cve-icon cve-icon
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html cve-icon cve-icon
http://www.securityfocus.com/bid/73040 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-2523-1 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=1174077 cve-icon cve-icon
https://github.com/apache/httpd/commit/3f1693d558d0758f829c8b53993f1749ddf6ffcb cve-icon cve-icon
https://issues.apache.org/bugzilla/show_bug.cgi?id=57204 cve-icon cve-icon
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r83109088737656fa6307bd99ab40f8ff0269ae58d3f7272d7048494a%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2014-8109 cve-icon
https://support.apple.com/HT205219 cve-icon cve-icon
https://support.apple.com/kb/HT205031 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2014-8109 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2014-12-29T23:00:00

Updated: 2024-08-06T13:10:50.068Z

Reserved: 2014-10-10T00:00:00

Link: CVE-2014-8109

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2014-12-29T23:59:00.053

Modified: 2023-02-13T00:42:40.890

Link: CVE-2014-8109

cve-icon Redhat

Severity : Low

Publid Date: 2014-11-12T00:00:00Z

Links: CVE-2014-8109 - Bugzilla