CVE-2015-3185

The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 91%
Affected Products (NVD)
VendorProductVersion
canonicalubuntu_linux
12.04
canonicalubuntu_linux
14.04
canonicalubuntu_linux
15.04
apachehttp_server
2.4.0
apachehttp_server
2.4.1
apachehttp_server
2.4.2
apachehttp_server
2.4.3
apachehttp_server
2.4.4
apachehttp_server
2.4.6
apachehttp_server
2.4.7
apachehttp_server
2.4.8
apachehttp_server
2.4.9
apachehttp_server
2.4.10
apachehttp_server
2.4.12
apachehttp_server
2.4.13
applexcode
7.0
applemac_os_x
10.10.4
applemac_os_x_server
5.0.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
apache2
bookworm
2.4.62-1~deb12u1
fixed
bookworm (security)
2.4.62-1~deb12u2
fixed
bullseye
2.4.62-1~deb11u1
fixed
bullseye (security)
2.4.62-1~deb11u2
fixed
sid
2.4.62-3
fixed
squeeze
not-affected
trixie
2.4.62-3
fixed
wheezy
not-affected
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
apache2
precise
not-affected
trusty
Fixed 2.4.7-1ubuntu4.5
released
utopic
ignored
vivid
Fixed 2.4.10-9ubuntu1.1
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
apache2
suse enterprise sap 12
2.4.10-14.10.1
fixed
suse enterprise server 12
2.4.10-14.10.1
fixed
apache2-doc
suse enterprise sap 12
2.4.10-14.10.1
fixed
suse enterprise server 12
2.4.10-14.10.1
fixed
apache2-example-pages
suse enterprise sap 12
2.4.10-14.10.1
fixed
suse enterprise server 12
2.4.10-14.10.1
fixed
apache2-mod_auth_kerb
suse enterprise sap 12
5.4-2.4.1
fixed
suse enterprise server 12
5.4-2.4.1
fixed
apache2-mod_jk
suse enterprise sap 12
1.2.40-2.6.1
fixed
suse enterprise server 12
1.2.40-2.6.1
fixed
apache2-mod_security2
suse enterprise sap 12
2.8.0-3.4.1
fixed
suse enterprise server 12
2.8.0-3.4.1
fixed
apache2-prefork
suse enterprise sap 12
2.4.10-14.10.1
fixed
suse enterprise server 12
2.4.10-14.10.1
fixed
apache2-utils
suse enterprise sap 12
2.4.10-14.10.1
fixed
suse enterprise server 12
2.4.10-14.10.1
fixed
apache2-worker
suse enterprise sap 12
2.4.10-14.10.1
fixed
suse enterprise server 12
2.4.10-14.10.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
httpd
RHEL 7
0:2.4.6-31.el7_1.1
fixed
httpd-devel
RHEL 7
0:2.4.6-31.el7_1.1
fixed
httpd-manual
RHEL 7
0:2.4.6-31.el7_1.1
fixed
httpd-tools
RHEL 7
0:2.4.6-31.el7_1.1
fixed
mod
RHEL 7
1:2.4.6-31.el7_1.1
fixed
Common Weakness Enumeration
References
http://httpd.apache.org/security/vulnerabilities_24.html
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html
http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html
http://rhn.redhat.com/errata/RHSA-2015-1666.html
http://rhn.redhat.com/errata/RHSA-2015-1667.html
http://rhn.redhat.com/errata/RHSA-2016-2957.html
http://www.apache.org/dist/httpd/CHANGES_2.4
http://www.debian.org/security/2015/dsa-3325
http://www.securityfocus.com/bid/75965
http://www.securitytracker.com/id/1032967
http://www.ubuntu.com/usn/USN-2686-1
https://access.redhat.com/errata/RHSA-2017:2708
https://access.redhat.com/errata/RHSA-2017:2709
https://access.redhat.com/errata/RHSA-2017:2710
https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708
https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
https://support.apple.com/HT205217
https://support.apple.com/HT205219
https://support.apple.com/kb/HT205031
http://httpd.apache.org/security/vulnerabilities_24.html
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html
http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html
http://rhn.redhat.com/errata/RHSA-2015-1666.html
http://rhn.redhat.com/errata/RHSA-2015-1667.html
http://rhn.redhat.com/errata/RHSA-2016-2957.html
http://www.apache.org/dist/httpd/CHANGES_2.4
http://www.debian.org/security/2015/dsa-3325
http://www.securityfocus.com/bid/75965
http://www.securitytracker.com/id/1032967
http://www.ubuntu.com/usn/USN-2686-1
https://access.redhat.com/errata/RHSA-2017:2708
https://access.redhat.com/errata/RHSA-2017:2709
https://access.redhat.com/errata/RHSA-2017:2710
https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708
https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
https://support.apple.com/HT205217
https://support.apple.com/HT205219
https://support.apple.com/kb/HT205031