Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2015-3185 |
CWE-ID | CWE-264 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
apache2 (Alpine package) Operating systems & Components / Operating system package or component |
Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU32392
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-3185
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.
MitigationInstall update from vendor's website.
Vulnerable software versionsapache2 (Alpine package): 2.4.4-r0 - 2.4.12-r1
External linkshttp://git.alpinelinux.org/aports/commit/?id=db992fcd384a88b087cf614ea6085a7618361f3a
http://git.alpinelinux.org/aports/commit/?id=7a5b508efbcc2243c09bd0b060136f78409d3ab7
http://git.alpinelinux.org/aports/commit/?id=b1db34556bafee5506f78b45c1a6f88844d89508
http://git.alpinelinux.org/aports/commit/?id=b785b5f3aa75162cd033fd8dc922f4e2a5fd770e
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.