CVE-2015-3185
httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.
Vulnerabilidad en la función ap_some_auth_required en ap_some_auth_required del Servidor HTTP Apache en su versión 2.4.x anteriores a la 2.4.14 no considera que una directiva Require puede estar asociada con el establecimiento de una autorización en lugar de un ajuste de autenticación lo cual permite a atacantes remotos evadir las restricciones destinadas al acceso en circunstancias oportunas mediante el aprovechamiento de la presencia de un módulo que se basa en el comportamiento en la API 2.2.
It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-04-10 CVE Reserved
- 2015-07-20 CVE Published
- 2024-05-09 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
- CWE-287: Improper Authentication
CAPEC
References (37)
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04" | lts |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 15.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "15.04" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.4.0 Search vendor "Apache" for product "Http Server" and version "2.4.0" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.4.1 Search vendor "Apache" for product "Http Server" and version "2.4.1" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.4.2 Search vendor "Apache" for product "Http Server" and version "2.4.2" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.4.3 Search vendor "Apache" for product "Http Server" and version "2.4.3" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.4.4 Search vendor "Apache" for product "Http Server" and version "2.4.4" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.4.6 Search vendor "Apache" for product "Http Server" and version "2.4.6" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.4.7 Search vendor "Apache" for product "Http Server" and version "2.4.7" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.4.8 Search vendor "Apache" for product "Http Server" and version "2.4.8" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.4.9 Search vendor "Apache" for product "Http Server" and version "2.4.9" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.4.10 Search vendor "Apache" for product "Http Server" and version "2.4.10" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.4.12 Search vendor "Apache" for product "Http Server" and version "2.4.12" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.4.13 Search vendor "Apache" for product "Http Server" and version "2.4.13" | - |
Affected
| ||||||
Apple Search vendor "Apple" | Xcode Search vendor "Apple" for product "Xcode" | 7.0 Search vendor "Apple" for product "Xcode" and version "7.0" | - |
Affected
| ||||||
Apple Search vendor "Apple" | Mac Os X Search vendor "Apple" for product "Mac Os X" | 10.10.4 Search vendor "Apple" for product "Mac Os X" and version "10.10.4" | - |
Affected
| ||||||
Apple Search vendor "Apple" | Mac Os X Server Search vendor "Apple" for product "Mac Os X Server" | 5.0.3 Search vendor "Apple" for product "Mac Os X Server" and version "5.0.3" | - |
Affected
|