CVE-2014-8109
Description
mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.
Risk Information
Base Score
9.8
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
15.829
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Update Apache to version 2.4.12 | Windows |
| Vulnerabilities CVE-2014-3581,CVE-2014-8109 are fixed in Apache 2.4.12 | Windows |
| Multiple vulnerabilities are fixed in OS X Yosemite 10.10.5 Update | Mac |
| Multiple vulnerabilities are fixed in OS X Yosemite 10.10.5 Combo Update | Mac |
| Apache HTTP server (USN-2523-1) apache2.2-bin_2.4.7-1ubuntu4.5_i386.deb | Linux |
| Apache HTTP server (USN-2523-1) apache2.2-bin_2.4.7-1ubuntu4.5_amd64.deb | Linux |
| Update Apache to version 2.4.12 (For Linux) | Linux |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-600354 | OS X Yosemite 10.10.5 Update |
| PATCH-600458 | OS X Yosemite 10.10.5 Combo Update |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234