mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x up to and including 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote malicious users to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache http server 2.4.1 |
||
apache http server 2.4.6 |
||
apache http server 2.4.3 |
||
apache http server 2.4.4 |
||
apache http server 2.4.10 |
||
apache http server 2.4.7 |
||
apache http server 2.4.2 |
||
apache http server 2.4.9 |
||
canonical ubuntu linux 14.10 |
||
canonical ubuntu linux 14.04 |
||
canonical ubuntu linux 10.04 |
||
canonical ubuntu linux 12.04 |
||
fedoraproject fedora 21 |
||
oracle enterprise manager ops center 12.2.1 |
||
oracle enterprise manager ops center 12.3.0 |
||
oracle enterprise manager ops center 12.2.0 |
||
oracle enterprise manager ops center |