CVE-2014-8109

medium Apache
CVSS v3 Base Score
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS Score
11.7%
Exploitation probability in 30 days
Top 6% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
M
Confidentiality
None
Integrity
P
Availability
None
Published: December 29, 2014 (4154 days ago)
Last Modified: May 6, 2026
Vendor: Apache
Source: NVD

Description

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.

CWE

CWE-863

Affected Products

apache http servercanonical ubuntu linuxfedoraproject fedoraoracle enterprise manager ops center

References

🔗 advisories.mageia.org 🔗 lists.apple.com 🔗 lists.apple.com 🔗 lists.fedoraproject.org 🔗 www.openwall.com