CVE-2014-8109

Description

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.

Category

4.3
CVSS
Severity: Medium
CVSS 2.0 •
EPSS 22.54% Top 5%
Vendor Advisory ubuntu.com Vendor Advisory apple.com Vendor Advisory apple.com Vendor Advisory fedoraproject.org Vendor Advisory apache.org
Affected: n/a n/a
Published at:
Updated at:

References

Link Tags
https://github.com/apache/httpd/commit/3f1693d558d0758f829c8b53993f1749ddf6ffcb third party advisory patch
https://bugzilla.redhat.com/show_bug.cgi?id=1174077 issue tracking third party advisory patch
http://www.ubuntu.com/usn/USN-2523-1 third party advisory vendor advisory
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html third party advisory
http://www.openwall.com/lists/oss-security/2014/11/28/5 third party advisory mailing list
http://www.securityfocus.com/bid/73040 vdb entry third party advisory
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html mailing list broken link vendor advisory
http://advisories.mageia.org/MGASA-2015-0011.html third party advisory
https://issues.apache.org/bugzilla/show_bug.cgi?id=57204 issue tracking vendor advisory
https://support.apple.com/kb/HT205031 third party advisory
http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html mailing list broken link vendor advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159352.html mailing list third party advisory vendor advisory
https://support.apple.com/HT205219 third party advisory
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r83109088737656fa6307bd99ab40f8ff0269ae58d3f7272d7048494a%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E mailing list

Frequently Asked Questions

What is the severity of CVE-2014-8109?
CVE-2014-8109 has been scored as a medium severity vulnerability.
How to fix CVE-2014-8109?
To fix CVE-2014-8109, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2014-8109 being actively exploited in the wild?
It is possible that CVE-2014-8109 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~23% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.