CVE-2014-8109

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.3.x and 2.4.x through 2.4.10

Description The issue arises from the mod lua module in the Apache HTTP Server, which does not support an httpd configuration where the same Lua authorization provider is used with different arguments within different contexts. This allows remote attackers to bypass intended access restrictions by leveraging multiple Require directives, potentially leading to unauthorized access to certain directories. For example, a configuration that specifies authorization for one group to access a certain directory and authorization for a second group to access a second directory could be exploited.

Recommendations For Apache HTTP Server versions 2.3.x and 2.4.x through 2.4.10, consider updating the handling of the Require line in mod lua when a LuaAuthzProvider is used in multiple Require directives with different arguments to prevent unexpected authentication rules. At the moment, there is no information about a newer version that contains a fix for this vulnerability.