Rapid7 VulnDB

Apache HTTPD: ap_some_auth_required API unusable (CVE-2015-3185)

Back to Search

Apache HTTPD: ap_some_auth_required API unusable (CVE-2015-3185)

Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Published
07/20/2015
Created
07/25/2018
Added
07/20/2015
Modified
01/08/2018

Description

A design error in the "ap_some_auth_required" function renders the API unusuable in httpd 2.4.x. In particular the API is documented to answering if the request required authentication but only answers if there are Require lines in the applicable configuration. Since 2.4.x Require lines are used for authorization as well and can appear in configurations even when no authentication is required and the request is entirely unrestricted. This could lead to modules using this API to allow access when they should otherwise not do so. API users should use the new ap_some_authn_required API added in 2.4.16 instead.

Solution(s)

  • apache-httpd-upgrade-2_4_16

References

  • apache-httpd-upgrade-2_4_16

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;