Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv2

CVE-2015-3185

Published: 20/07/2015 Updated: 07/11/2023
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 384
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Subscribe to Canonical

Vulnerability Summary

The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x prior to 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote malicious users to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

canonical ubuntu linux 12.04

canonical ubuntu linux 14.04

canonical ubuntu linux 15.04

apache http server 2.4.1

apache http server 2.4.6

apache http server 2.4.0

apache http server 2.4.12

apache http server 2.4.3

apache http server 2.4.8

apache http server 2.4.4

apache http server 2.4.10

apache http server 2.4.7

apache http server 2.4.13

apache http server 2.4.2

apache http server 2.4.9

apple mac os x 10.10.4

apple xcode 7.0

apple mac os x server 5.0.3

Vendor Advisories

Ubuntu Security Notice: apache2 vulnerabilities
Several security issues were fixed in the Apache HTTP server ...
Red Hat: Important: Red Hat JBoss Core Services security update
Synopsis Important: Red Hat JBoss Core Services security update Type/Severity Security Advisory: Important Topic An update is now available for JBoss Core Services on Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Sc ...
Red Hat: Important: Red Hat JBoss Core Services security update
Synopsis Important: Red Hat JBoss Core Services security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Core ServicesRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) ba ...
Red Hat: Important: Red Hat JBoss Core Services Apache HTTP 2.4.23 Release
Synopsis Important: Red Hat JBoss Core Services Apache HTTP 2423 Release Type/Severity Security Advisory: Important Topic Red Hat JBoss Core Services httpd 2423 is now available from the Red Hat Customer Portal for Solaris and Microsoft Windows systemsRed Hat Product Security has rated this release as ...
Red Hat: Important: Red Hat JBoss Core Services security update
Synopsis Important: Red Hat JBoss Core Services security update Type/Severity Security Advisory: Important Topic An update is now available for JBoss Core Services on Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Sc ...
Debian Security Advisories: DSA-3325-1 apache2 -- security update
Several vulnerabilities have been found in the Apache HTTPD server CVE-2015-3183 An HTTP request smuggling attack was possible due to a bug in parsing of chunked requests A malicious client could force the server to misinterpret the request length, allowing cache poisoning or credential hijacking if an intermediary proxy is in us ...
Amazon Linux AMI: ALAS-2015-579
It was discovered that in httpd 24, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used An httpd module using this API function could consequently allow access that should have been denied (CVE-2015-3185) Multiple flaws were found in the way httpd pars ...
Red Hat: CVE-2015-3185
It was discovered that in httpd 24, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used An httpd module using this API function could consequently allow access that should have been denied ...
Tenable Security Advisories: [R4] SecurityCenter 5.0.2 Fixes Third-party Library
Tenable SecurityCenter is potentially impacted by two vulnerabilities in Apache HTTP Server CVE-2015-3183: The chunked transfer coding implementation in the Apache HTTP Server before 2414 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling o ...

References

CWE-264http://httpd.apache.org/security/vulnerabilities_24.htmlhttp://www.apache.org/dist/httpd/CHANGES_2.4https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlhttps://support.apple.com/kb/HT205031http://www.ubuntu.com/usn/USN-2686-1https://support.apple.com/HT205217http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.htmlhttp://lists.apple.com/archives/security-announce/2015/Sep/msg00002.htmlhttps://support.apple.com/HT205219http://www.securityfocus.com/bid/75965http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.htmlhttp://www.debian.org/security/2015/dsa-3325http://rhn.redhat.com/errata/RHSA-2015-1667.htmlhttp://www.securitytracker.com/id/1032967https://access.redhat.com/errata/RHSA-2017:2710https://access.redhat.com/errata/RHSA-2017:2709https://access.redhat.com/errata/RHSA-2017:2708http://rhn.redhat.com/errata/RHSA-2016-2957.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1666.htmlhttps://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3Ehttps://nvd.nist.govhttps://usn.ubuntu.com/2686-1/https://access.redhat.com/security/cve/cve-2015-3185
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-30924CVE-2024-3400overflowCVE-2024-23528CVE-2024-21338CVE-2024-3818CVE-2024-23535NULL pointer dereferenceelevation of privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook