Vulnerability & Exploit Database

Back to search

Apache HTTPD: ap_some_auth_required API unusable (CVE-2015-3185)

Severity CVSS Published Added Modified
4 (AV:N/AC:M/Au:N/C:N/I:P/A:N) July 19, 2015 July 19, 2015 January 07, 2018

Description

A design error in the "ap_some_auth_required" function renders the API unusuable in httpd 2.4.x. In particular the API is documented to answering if the request required authentication but only answers if there are Require lines in the applicable configuration. Since 2.4.x Require lines are used for authorization as well and can appear in configurations even when no authentication is required and the request is entirely unrestricted. This could lead to modules using this API to allow access when they should otherwise not do so. API users should use the new ap_some_authn_required API added in 2.4.16 instead.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

References

Solution

apache-httpd-upgrade-2_4_16

Related Vulnerabilities