Description

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.

Remediation

References

CVE-2014-8109

Related Vulnerabilities

WordPress Plugin Ultimate Addons for Beaver Builder Security Bypass (1.24.0)

e107 Other Vulnerability (CVE-2006-3259)

WordPress Plugin Insert Pages Multiple Vulnerabilities (3.6.1)

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-32244)

MySQL CVE-2013-5786 Vulnerability (CVE-2013-5786)

Severity

Medium

Classification

CVE-2014-8109 CWE-863

Tags

Missing Update Known Vulnerabilities