CVE-2014-8109

NameCVE-2014-8109
Descriptionmod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache2 (PTS)bullseye2.4.62-1~deb11u1fixed
bullseye (security)2.4.67-1~deb11u1fixed
bookworm2.4.67-1~deb12u2fixed
bookworm (security)2.4.67-1~deb12u3fixed
trixie2.4.67-1~deb13u2fixed
trixie (security)2.4.67-1~deb13u3fixed
forky2.4.67-1fixed
sid2.4.67-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache2sourcesqueeze(not affected)
apache2sourcewheezy(not affected)
apache2source(unstable)2.4.10-9

Notes

[wheezy] - apache2 <not-affected> (mod_lua only in 2.4)
[squeeze] - apache2 <not-affected> (mod_lua only in 2.4)
Search for package or bug name: Reporting problems