{ "threat_severity" : "Moderate", "public_date" : "2015-07-15T00:00:00Z", "bugzilla" : { "description" : "httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4", "id" : "1243888", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1243888" }, "cvss" : { "cvss_base_score" : "2.6", "cvss_scoring_vector" : "AV:N/AC:H/Au:N/C:N/I:N/A:P", "status" : "verified" }, "cvss3" : { "cvss3_base_score" : "3.7", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "status" : "verified" }, "cwe" : "CWE-287", "details" : [ "The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.", "It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied." ], "affected_release" : [ { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2017-09-13T00:00:00Z", "advisory" : "RHSA-2017:2710", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2017-09-13T00:00:00Z", "advisory" : "RHSA-2017:2710", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2017-09-13T00:00:00Z", "advisory" : "RHSA-2017:2709", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-httpd-0:2.4.23-122.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2017-09-13T00:00:00Z", "advisory" : "RHSA-2017:2709", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2015-08-24T00:00:00Z", "advisory" : "RHSA-2015:1667", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "httpd-0:2.4.6-31.ael7b_1.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2015-08-24T00:00:00Z", "advisory" : "RHSA-2015:1666", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6", "package" : "httpd24-httpd-0:2.4.12-4.el6.2" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS", "release_date" : "2015-08-24T00:00:00Z", "advisory" : "RHSA-2015:1666", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6", "package" : "httpd24-httpd-0:2.4.12-4.el6.2" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date" : "2015-08-24T00:00:00Z", "advisory" : "RHSA-2015:1666", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6", "package" : "httpd24-httpd-0:2.4.12-4.el6.2" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2015-08-24T00:00:00Z", "advisory" : "RHSA-2015:1666", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7", "package" : "httpd24-httpd-0:2.4.12-6.el7.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date" : "2015-08-24T00:00:00Z", "advisory" : "RHSA-2015:1666", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7", "package" : "httpd24-httpd-0:2.4.12-6.el7.1" }, { "product_name" : "Text-Only JBCS", "release_date" : "2016-12-15T00:00:00Z", "advisory" : "RHSA-2016:2957", "cpe" : "cpe:/a:redhat:jboss_core_services:1" }, { "product_name" : "Text-Only JBCS", "release_date" : "2017-09-13T00:00:00Z", "advisory" : "RHSA-2017:2708", "cpe" : "cpe:/a:redhat:jboss_core_services:1" } ], "package_state" : [ { "product_name" : "CloudForms Management Engine 5", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5" }, { "product_name" : "Red Hat Directory Server 8", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:directory_server:8" }, { "product_name" : "Red Hat Enterprise Linux 4", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/o:redhat:enterprise_linux:4" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 3", "fix_state" : "Affected", "package_name" : "httpd24", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2015-3185\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-3185\nhttp://httpd.apache.org/security/vulnerabilities_24.html#2.4.16" ], "name" : "CVE-2015-3185", "csaw" : false }