CVE-2015-3185 - Vulnerability Details

The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Http Server
Apple	Mac Os X Mac Os X Server Xcode
Canonical	Ubuntu Linux
Redhat	Enterprise Linux Jboss Core Services Rhel Software Collections

Configuration 1 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:15.04:::::::*

Configuration 2 [-]

OR	cpe:2.3:a:apache:http_server:2.4.0:::::::*
	cpe:2.3:a:apache:http_server:2.4.1:::::::*
	cpe:2.3:a:apache:http_server:2.4.2:::::::*
	cpe:2.3:a:apache:http_server:2.4.3:::::::*
	cpe:2.3:a:apache:http_server:2.4.4:::::::*
	cpe:2.3:a:apache:http_server:2.4.6:::::::*
	cpe:2.3:a:apache:http_server:2.4.7:::::::*
	cpe:2.3:a:apache:http_server:2.4.8:::::::*
	cpe:2.3:a:apache:http_server:2.4.9:::::::*
	cpe:2.3:a:apache:http_server:2.4.10:::::::*
	cpe:2.3:a:apache:http_server:2.4.12:::::::*
	cpe:2.3:a:apache:http_server:2.4.13:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:apple:xcode:7.0:::::::*
	cpe:2.3:o:apple:mac_os_x:10.10.4:::::::*
	cpe:2.3:o:apple:mac_os_x_server:5.0.3:::::::*

Package	CPE	Advisory	Released Date
JBoss Core Services on RHEL 6
jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2017:2710	2017-09-13T00:00:00Z
jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2017:2710	2017-09-13T00:00:00Z
JBoss Core Services on RHEL 7
jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2017:2709	2017-09-13T00:00:00Z
jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2017:2709	2017-09-13T00:00:00Z
Red Hat Enterprise Linux 7
httpd-0:2.4.6-31.ael7b_1.1	cpe:/o:redhat:enterprise_linux:7	RHSA-2015:1667	2015-08-24T00:00:00Z
Red Hat Software Collections for Red Hat Enterprise Linux 6
httpd24-httpd-0:2.4.12-4.el6.2	cpe:/a:redhat:rhel_software_collections:2::el6	RHSA-2015:1666	2015-08-24T00:00:00Z
Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS
httpd24-httpd-0:2.4.12-4.el6.2	cpe:/a:redhat:rhel_software_collections:2::el6	RHSA-2015:1666	2015-08-24T00:00:00Z
Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
httpd24-httpd-0:2.4.12-4.el6.2	cpe:/a:redhat:rhel_software_collections:2::el6	RHSA-2015:1666	2015-08-24T00:00:00Z
Red Hat Software Collections for Red Hat Enterprise Linux 7
httpd24-httpd-0:2.4.12-6.el7.1	cpe:/a:redhat:rhel_software_collections:2::el7	RHSA-2015:1666	2015-08-24T00:00:00Z
Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
httpd24-httpd-0:2.4.12-6.el7.1	cpe:/a:redhat:rhel_software_collections:2::el7	RHSA-2015:1666	2015-08-24T00:00:00Z
Text-Only JBCS
	cpe:/a:redhat:jboss_core_services:1	RHSA-2016:2957	2016-12-15T00:00:00Z
	cpe:/a:redhat:jboss_core_services:1	RHSA-2017:2708	2017-09-13T00:00:00Z

References

Link	Providers
http://httpd.apache.org/security/vulnerabilities_24.html
http://httpd.apache.org/security/vulnerabilities_24.html#2.4.16
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html
http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html
http://rhn.redhat.com/errata/RHSA-2015-1666.html
http://rhn.redhat.com/errata/RHSA-2015-1667.html
http://rhn.redhat.com/errata/RHSA-2016-2957.html
http://www.apache.org/dist/httpd/CHANGES_2.4
http://www.debian.org/security/2015/dsa-3325
http://www.securityfocus.com/bid/75965
http://www.securitytracker.com/id/1032967
http://www.ubuntu.com/usn/USN-2686-1
https://access.redhat.com/errata/RHSA-2017:2708
https://access.redhat.com/errata/RHSA-2017:2709
https://access.redhat.com/errata/RHSA-2017:2710
https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708
https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
https://nvd.nist.gov/vuln/detail/CVE-2015-3185
https://support.apple.com/HT205217
https://support.apple.com/HT205219
https://support.apple.com/kb/HT205031
https://www.cve.org/CVERecord?id=CVE-2015-3185

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2015-07-20T23:00:00

Updated: 2024-08-06T05:39:31.678Z

Reserved: 2015-04-10T00:00:00

Link: CVE-2015-3185

Vulnrichment

No data.

NVD

Status : Modified

Published: 2015-07-20T23:59:03.770

Modified: 2024-11-21T02:28:51.297

Link: CVE-2015-3185

Redhat

Severity : Moderate

Publid Date: 2015-07-15T00:00:00Z

Links: CVE-2015-3185 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-07-16T00:00:00", "descriptions": [{"lang": "en", "value": "The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-06-06T10:12:19", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "openSUSE-SU-2015:1684", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://httpd.apache.org/security/vulnerabilities_24.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708"}, {"name": "RHSA-2015:1667", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1667.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.apple.com/HT205217"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.apache.org/dist/httpd/CHANGES_2.4"}, {"name": "APPLE-SA-2015-09-16-2", "tags": ["vendor-advisory", "x_refsource_APPLE"], "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"}, {"name": "RHSA-2017:2709", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2709"}, {"name": "RHSA-2015:1666", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1666.html"}, {"name": "1032967", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1032967"}, {"name": "USN-2686-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2686-1"}, {"name": "APPLE-SA-2015-08-13-2", "tags": ["vendor-advisory", "x_refsource_APPLE"], "url": "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html"}, {"name": "75965", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/75965"}, {"name": "DSA-3325", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3325"}, {"name": "RHSA-2016:2957", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2957.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.apple.com/kb/HT205031"}, {"name": "RHSA-2017:2710", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2710"}, {"name": "APPLE-SA-2015-09-16-4", "tags": ["vendor-advisory", "x_refsource_APPLE"], "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.apple.com/HT205219"}, {"name": "RHSA-2017:2708", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2708"}, {"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73"}, {"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210330 svn commit: r1073139 [9/13] - in /websites/staging/httpd/trunk/content: ./ security/json/", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210330 svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210330 svn commit: r1073149 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210606 svn commit: r1075467 [2/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2015-3185", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "openSUSE-SU-2015:1684", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html"}, {"name": "http://httpd.apache.org/security/vulnerabilities_24.html", "refsource": "CONFIRM", "url": "http://httpd.apache.org/security/vulnerabilities_24.html"}, {"name": "https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708", "refsource": "CONFIRM", "url": "https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708"}, {"name": "RHSA-2015:1667", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-1667.html"}, {"name": "https://support.apple.com/HT205217", "refsource": "CONFIRM", "url": "https://support.apple.com/HT205217"}, {"name": "http://www.apache.org/dist/httpd/CHANGES_2.4", "refsource": "CONFIRM", "url": "http://www.apache.org/dist/httpd/CHANGES_2.4"}, {"name": "APPLE-SA-2015-09-16-2", "refsource": "APPLE", "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"}, {"name": "RHSA-2017:2709", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:2709"}, {"name": "RHSA-2015:1666", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-1666.html"}, {"name": "1032967", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1032967"}, {"name": "USN-2686-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2686-1"}, {"name": "APPLE-SA-2015-08-13-2", "refsource": "APPLE", "url": "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html"}, {"name": "75965", "refsource": "BID", "url": "http://www.securityfocus.com/bid/75965"}, {"name": "DSA-3325", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3325"}, {"name": "RHSA-2016:2957", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-2957.html"}, {"name": "https://support.apple.com/kb/HT205031", "refsource": "CONFIRM", "url": "https://support.apple.com/kb/HT205031"}, {"name": "RHSA-2017:2710", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:2710"}, {"name": "APPLE-SA-2015-09-16-4", "refsource": "APPLE", "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html"}, {"name": "https://support.apple.com/HT205219", "refsource": "CONFIRM", "url": "https://support.apple.com/HT205219"}, {"name": "RHSA-2017:2708", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:2708"}, {"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E"}, {"name": "https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73", "refsource": "CONFIRM", "url": "https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73"}, {"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210330 svn commit: r1073139 [9/13] - in /websites/staging/httpd/trunk/content: ./ security/json/", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4@%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467@%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210330 svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210330 svn commit: r1073149 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b@%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9@%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210606 svn commit: r1075467 [2/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a@%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T05:39:31.678Z"}, "title": "CVE Program Container", "references": [{"name": "openSUSE-SU-2015:1684", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://httpd.apache.org/security/vulnerabilities_24.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708"}, {"name": "RHSA-2015:1667", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1667.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.apple.com/HT205217"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.apache.org/dist/httpd/CHANGES_2.4"}, {"name": "APPLE-SA-2015-09-16-2", "tags": ["vendor-advisory", "x_refsource_APPLE", "x_transferred"], "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"}, {"name": "RHSA-2017:2709", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2709"}, {"name": "RHSA-2015:1666", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1666.html"}, {"name": "1032967", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1032967"}, {"name": "USN-2686-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2686-1"}, {"name": "APPLE-SA-2015-08-13-2", "tags": ["vendor-advisory", "x_refsource_APPLE", "x_transferred"], "url": "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html"}, {"name": "75965", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/75965"}, {"name": "DSA-3325", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3325"}, {"name": "RHSA-2016:2957", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2957.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.apple.com/kb/HT205031"}, {"name": "RHSA-2017:2710", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2710"}, {"name": "APPLE-SA-2015-09-16-4", "tags": ["vendor-advisory", "x_refsource_APPLE", "x_transferred"], "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.apple.com/HT205219"}, {"name": "RHSA-2017:2708", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2708"}, {"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73"}, {"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210330 svn commit: r1073139 [9/13] - in /websites/staging/httpd/trunk/content: ./ security/json/", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210330 svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210330 svn commit: r1073149 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210606 svn commit: r1075467 [2/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-3185", "datePublished": "2015-07-20T23:00:00", "dateReserved": "2015-04-10T00:00:00", "dateUpdated": "2024-08-06T05:39:31.678Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*", "matchCriteriaId": "F38D3B7E-8429-473F-BB31-FC3583EE5A5B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "BDC40E89-2D57-4988-913E-024BFB56B367", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "6FCD3C8C-9BF8-4F30-981A-593EEAEB9EDD", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "046487A3-752B-4D0F-8984-96486B828EAB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "89D2E052-51CD-4B57-A8B8-FAE51988D654", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*", "matchCriteriaId": "EAA27058-BACF-4F94-8E3C-7D38EC302EC1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*", "matchCriteriaId": "8FEAB0DF-04A9-4F99-8666-0BADC5D642B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*", "matchCriteriaId": "E7D924D1-8A36-4C43-9E56-52814F9A6350", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:http_server:2.4.8:*:*:*:*:*:*:*", "matchCriteriaId": "DFA089AB-AF28-4AE1-AE39-6D1B8192A3DF", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*", "matchCriteriaId": "39CDFECC-E26D-47E0-976F-6629040B3764", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*", "matchCriteriaId": "E3ECBCB1-0675-41F5-857B-438F36925F63", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*", "matchCriteriaId": "CB6CBFBF-74F6-42AF-BC79-AA53EA75F00B", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:http_server:2.4.13:*:*:*:*:*:*:*", "matchCriteriaId": "EF77159D-505A-475C-A137-4F89D4769B8F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:xcode:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "7344422F-F65A-4000-A9EF-8D323DA29011", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.10.4:*:*:*:*:*:*:*", "matchCriteriaId": "E8B0A12E-E122-4189-A05E-4FEA43C19876", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x_server:5.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "8ACDF399-AE56-4130-8686-F8E4C9014DD9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior."}, {"lang": "es", "value": "Vulnerabilidad en la funci\u00f3n ap_some_auth_required en ap_some_auth_required del Servidor HTTP Apache en su versi\u00f3n 2.4.x anteriores a la 2.4.14 no considera que una directiva Require puede estar asociada con el establecimiento de una autorizaci\u00f3n en lugar de un ajuste de autenticaci\u00f3n lo cual permite a atacantes remotos evadir las restricciones destinadas al acceso en circunstancias oportunas mediante el aprovechamiento de la presencia de un m\u00f3dulo que se basa en el comportamiento en la API 2.2."}], "id": "CVE-2015-3185", "lastModified": "2024-11-21T02:28:51.297", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-07-20T23:59:03.770", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "secalert@redhat.com", "url": "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html"}, {"source": "secalert@redhat.com", "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"}, {"source": "secalert@redhat.com", "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2015-1666.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2015-1667.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2016-2957.html"}, {"source": "secalert@redhat.com", "url": "http://www.apache.org/dist/httpd/CHANGES_2.4"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2015/dsa-3325"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/75965"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id/1032967"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-2686-1"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2017:2708"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2017:2709"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2017:2710"}, {"source": "secalert@redhat.com", "url": "https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708"}, {"source": "secalert@redhat.com", "url": "https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://support.apple.com/HT205217"}, {"source": "secalert@redhat.com", "url": "https://support.apple.com/HT205219"}, {"source": "secalert@redhat.com", "url": "https://support.apple.com/kb/HT205031"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2015-1666.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2015-1667.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2016-2957.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.apache.org/dist/httpd/CHANGES_2.4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2015/dsa-3325"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/75965"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1032967"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2686-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2017:2708"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2017:2709"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2017:2710"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.apple.com/HT205217"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.apple.com/HT205219"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.apple.com/kb/HT205031"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2017:2710", "cpe": "cpe:/a:redhat:jboss_core_services:1::el6", "package": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6", "product_name": "JBoss Core Services on RHEL 6", "release_date": "2017-09-13T00:00:00Z"}, {"advisory": "RHSA-2017:2710", "cpe": "cpe:/a:redhat:jboss_core_services:1::el6", "package": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6", "product_name": "JBoss Core Services on RHEL 6", "release_date": "2017-09-13T00:00:00Z"}, {"advisory": "RHSA-2017:2709", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2017-09-13T00:00:00Z"}, {"advisory": "RHSA-2017:2709", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2017-09-13T00:00:00Z"}, {"advisory": "RHSA-2015:1667", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "httpd-0:2.4.6-31.ael7b_1.1", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2015-08-24T00:00:00Z"}, {"advisory": "RHSA-2015:1666", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "httpd24-httpd-0:2.4.12-4.el6.2", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2015-08-24T00:00:00Z"}, {"advisory": "RHSA-2015:1666", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "httpd24-httpd-0:2.4.12-4.el6.2", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS", "release_date": "2015-08-24T00:00:00Z"}, {"advisory": "RHSA-2015:1666", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "httpd24-httpd-0:2.4.12-4.el6.2", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2015-08-24T00:00:00Z"}, {"advisory": "RHSA-2015:1666", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "httpd24-httpd-0:2.4.12-6.el7.1", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2015-08-24T00:00:00Z"}, {"advisory": "RHSA-2015:1666", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "httpd24-httpd-0:2.4.12-6.el7.1", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2015-08-24T00:00:00Z"}, {"advisory": "RHSA-2016:2957", "cpe": "cpe:/a:redhat:jboss_core_services:1", "product_name": "Text-Only JBCS", "release_date": "2016-12-15T00:00:00Z"}, {"advisory": "RHSA-2017:2708", "cpe": "cpe:/a:redhat:jboss_core_services:1", "product_name": "Text-Only JBCS", "release_date": "2017-09-13T00:00:00Z"}], "bugzilla": {"description": "httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4", "id": "1243888", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1243888"}, "csaw": false, "cvss": {"cvss_base_score": "2.6", "cvss_scoring_vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P", "status": "verified"}, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-287", "details": ["The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.", "It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied."], "name": "CVE-2015-3185", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Not affected", "package_name": "httpd", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:directory_server:8", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Directory Server 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:4", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:2", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat JBoss Enterprise Web Server 2"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3", "fix_state": "Affected", "package_name": "httpd24", "product_name": "Red Hat JBoss Enterprise Web Server 3"}], "public_date": "2015-07-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-3185\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-3185\nhttp://httpd.apache.org/security/vulnerabilities_24.html#2.4.16"], "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object