Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2015-3185

Опубликовано: 15 июл. 2015
Источник: redhat
CVSS3: 3.7
CVSS2: 2.6
EPSS Низкий

Описание

The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.

It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
CloudForms Management Engine 5httpdNot affected
Red Hat Directory Server 8httpdNot affected
Red Hat Enterprise Linux 4httpdNot affected
Red Hat Enterprise Linux 5httpdNot affected
Red Hat Enterprise Linux 6httpdNot affected
Red Hat JBoss Enterprise Application Platform 6httpdNot affected
Red Hat JBoss Enterprise Web Server 1httpdNot affected
Red Hat JBoss Enterprise Web Server 2httpdNot affected
Red Hat JBoss Enterprise Web Server 3httpd24Affected
JBoss Core Services on RHEL 6jbcs-httpd24-httpdFixedRHSA-2017:271013.09.2017

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-287
https://bugzilla.redhat.com/show_bug.cgi?id=1243888httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4

EPSS

Процентиль: 92%
0.07873
Низкий

3.7 Low

CVSS3

2.6 Low

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2015-3185

ubuntu
около 10 лет назад

The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.

nvd логотип

CVE-2015-3185

nvd
около 10 лет назад

The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.

debian логотип

CVE-2015-3185

debian
около 10 лет назад

The ap_some_auth_required function in server/request.c in the Apache H ...

github логотип

GHSA-5fv4-m5x3-j32p

github
больше 3 лет назад

The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.

fstec логотип

BDU:2015-10929

fstec
около 10 лет назад

Уязвимость веб-сервера Apache HTTP Server, позволяющая нарушителю обойти существующие ограничения доступа

EPSS

Процентиль: 92%
0.07873
Низкий

3.7 Low

CVSS3

2.6 Low

CVSS2