CVE-2015-3185
EPSS 6.4%
Description
The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.
How to fix CVE-2015-3185
To remediate CVE-2015-3185, upgrade the affected package to a fixed version below.
- Debian/apache2—upgrade to 2.4.16-1 or later
Is CVE-2015-3185 being exploited?
Moderate — EPSS is 6.4%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- from 0, < 2.4.16-1