CVE-2015-3185

medium

Apache

CVSS v3 Base Score

4.3

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS Score

9.5%

Exploitation probability in 30 days

Top 7% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Confidentiality

None

Integrity

Availability

None

Published: July 20, 2015 (3951 days ago)

Last Modified: May 6, 2026

Vendor: Apache

Source: NVD

Description

The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.

CWE

CWE-264

Affected Products

canonical ubuntu linuxapache http serverapple xcodeapple mac os xapple mac os x server

References

🔗 httpd.apache.org 🔗 lists.apple.com 🔗 lists.apple.com 🔗 lists.apple.com 🔗 lists.opensuse.org

CVE-2015-3185

Vulnerability Report

Description

CWE

Affected Products

References