Endpoint Vulnerability

Apache Httpd - low:ap_some_auth_required API unusable(CVE-2015-3185)


A design error in the 'ap_some_auth_required' function renders the API unusuable in httpd 2.4.x. In particular the API is documented to answering if the request required authentication but only answers if there are Require lines in the applicable configuration. Since 2.4.x Require lines are used for authorization as well and can appear in configurations even when no authentication is required and the request is entirely unrestricted. This could lead to modules using this API to allow access when they should otherwise not do so. API users should use the new ap_some_authn_required API added in 2.4.16 instead.

Affected Products

Apache Httpd