CVE-2015-3185

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.x before 2.4.14

Description The issue is related to the ap some auth required function in the Apache HTTP Server, which does not properly consider the difference between authentication and authorization settings. This allows remote attackers to bypass intended access restrictions in certain circumstances, particularly when a module relies on the 2.2 API behavior. The problem arises because the ap some auth required function only checks for the presence of Require lines in the configuration, which can be used for both authentication and authorization. As a result, modules using this API may allow access when they should not.

Recommendations For Apache HTTP Server versions 2.4.x before 2.4.14, consider updating to version 2.4.16 or later, which includes the new ap some authn required API that correctly handles authentication requirements. As a temporary workaround, API users should use the new ap some authn required API instead of ap some auth required to ensure proper authentication checks. At the moment, there is no information about other versions that contain a fix for this vulnerability.