CVE-2014-8109

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.

• CWE-863

• http://advisories.mageia.org/MGASA-2015-0011.htmlThird Party Advisory
• http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlBroken Link, Mailing List
• http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.htmlBroken Link, Mailing List
• http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159352.htmlMailing List, Third Party Advisory
• http://www.openwall.com/lists/oss-security/2014/11/28/5Mailing List, Third Party Advisory
• http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlThird Party Advisory
• http://www.securityfocus.com/bid/73040Third Party Advisory, VDB Entry
• http://www.ubuntu.com/usn/USN-2523-1Third Party Advisory
• https://bugzilla.redhat.com/show_bug.cgi?id=1174077Issue Tracking, Patch, Third Party Advisory
• https://github.com/apache/httpd/commit/3f1693d558d0758f829c8b53993f1749ddf6ffcbPatch, Third Party Advisory
• https://issues.apache.org/bugzilla/show_bug.cgi?id=57204Issue Tracking, Vendor Advisory
• https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/r83109088737656fa6307bd99ab40f8ff0269ae58d3f7272d7048494a%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
• https://support.apple.com/HT205219Third Party Advisory
• https://support.apple.com/kb/HT205031Third Party Advisory
• http://advisories.mageia.org/MGASA-2015-0011.htmlThird Party Advisory
• http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlBroken Link, Mailing List
• http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.htmlBroken Link, Mailing List
• http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159352.htmlMailing List, Third Party Advisory
• http://www.openwall.com/lists/oss-security/2014/11/28/5Mailing List, Third Party Advisory
• http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlThird Party Advisory
• http://www.securityfocus.com/bid/73040Third Party Advisory, VDB Entry
• http://www.ubuntu.com/usn/USN-2523-1Third Party Advisory
• https://bugzilla.redhat.com/show_bug.cgi?id=1174077Issue Tracking, Patch, Third Party Advisory
• https://github.com/apache/httpd/commit/3f1693d558d0758f829c8b53993f1749ddf6ffcbPatch, Third Party Advisory
• https://issues.apache.org/bugzilla/show_bug.cgi?id=57204Issue Tracking, Vendor Advisory
• https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/r83109088737656fa6307bd99ab40f8ff0269ae58d3f7272d7048494a%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
• https://support.apple.com/HT205219Third Party Advisory
• https://support.apple.com/kb/HT205031Third Party Advisory

Published

Dec 29, 2014

Last Modified

Jun 17, 2026

Status

Modified