Vulnerability Description
The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Canonical | Ubuntu Linux | 12.04 |
| Apache | Http Server | 2.4.0 |
| Apple | Xcode | 7.0 |
| Apple | Mac Os X | 10.10.4 |
| Apple | Mac Os X Server | 5.0.3 |
Related Weaknesses (CWE)
References
- http://httpd.apache.org/security/vulnerabilities_24.htmlVendor Advisory
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
- http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
- http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html
- http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html
- http://rhn.redhat.com/errata/RHSA-2015-1666.html
- http://rhn.redhat.com/errata/RHSA-2015-1667.html
- http://rhn.redhat.com/errata/RHSA-2016-2957.html
- http://www.apache.org/dist/httpd/CHANGES_2.4
- http://www.debian.org/security/2015/dsa-3325
- http://www.securityfocus.com/bid/75965
- http://www.securitytracker.com/id/1032967
- http://www.ubuntu.com/usn/USN-2686-1
- https://access.redhat.com/errata/RHSA-2017:2708
- https://access.redhat.com/errata/RHSA-2017:2709
FAQ
What is CVE-2015-3185?
CVE-2015-3185 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather t...
How severe is CVE-2015-3185?
CVE-2015-3185 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-3185?
Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Apache Http Server, Apple Xcode, Apple Mac Os X, Apple Mac Os X Server.