Branko Äibej

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions 2.4.x before 2.4.14 **Description** The issue is related to the `ap some auth required` function in the Apache HTTP Server, which does not properly consider the difference between authentication and authorization settings. This allows remote attackers to bypass intended access restrictions in certain circumstances, particularly when a module relies on the 2.2 API behavior. The problem arises because the `ap some auth required` function only checks for the presence of Require lines in the configuration, which can be used for both authentication and authorization. As a result, modules using this API may allow access when they should not. **Recommendations** For Apache HTTP Server versions 2.4.x before 2.4.14, consider updating to version 2.4.16 or later, which includes the new `ap some authn required` API that correctly handles authentication requirements. As a temporary workaround, API users should use the new `ap some authn required` API instead of `ap some auth required` to ensure proper authentication checks. At the moment, there is no information about other versions that contain a fix for this vulnerability.