Search for vulnerabilities
Vulnerability details: VCID-ksjq-1m1d-aaag
Vulnerability ID VCID-ksjq-1m1d-aaag
Aliases CVE-2015-3185
Summary The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-264 Permissions, Privileges, and Access Controls
CWE-287 Improper Authentication
System Score Found at
generic_textual Medium http://httpd.apache.org/security/vulnerabilities_24.html
generic_textual LOW http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3185.html
rhas Moderate https://access.redhat.com/errata/RHSA-2015:1666
rhas Moderate https://access.redhat.com/errata/RHSA-2015:1667
rhas Important https://access.redhat.com/errata/RHSA-2016:2957
cvssv3 3.7 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-3185.json
epss 0.00368 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.00368 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.00368 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.00368 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.00368 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.00368 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.00368 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.00368 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.00368 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.00368 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.00368 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.00368 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.00368 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.00368 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.00368 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.11448 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.11448 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.11448 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.11448 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.11448 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.11448 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.11448 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.11448 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.11448 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.11448 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.13007 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.13007 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.14043 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.14043 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.14043 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.24877 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
epss 0.43174 https://api.first.org/data/v1/epss?cve=CVE-2015-3185
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1243888
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3185
apache_httpd low https://httpd.apache.org/security/json/CVE-2015-3185.json
cvssv2 4.3 https://nvd.nist.gov/vuln/detail/CVE-2015-3185
generic_textual LOW https://support.apple.com/HT205217
generic_textual Medium https://ubuntu.com/security/notices/USN-2686-1
generic_textual Medium http://svn.apache.org/viewvc?view=revision&revision=1684525
generic_textual Medium https://www.apache.org/dist/httpd/Announcement2.4.txt
generic_textual Medium https://www.apache.org/dist/httpd/CHANGES_2.4.16
Reference id Reference type URL
http://httpd.apache.org/security/vulnerabilities_24.html
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html
http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3185.html
http://rhn.redhat.com/errata/RHSA-2015-1666.html
http://rhn.redhat.com/errata/RHSA-2015-1667.html
http://rhn.redhat.com/errata/RHSA-2016-2957.html
https://access.redhat.com/errata/RHSA-2017:2708
https://access.redhat.com/errata/RHSA-2017:2709
https://access.redhat.com/errata/RHSA-2017:2710
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-3185.json
https://api.first.org/data/v1/epss?cve=CVE-2015-3185
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3185
https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708
https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
https://support.apple.com/HT205217
https://support.apple.com/HT205219
https://support.apple.com/kb/HT205031
https://ubuntu.com/security/notices/USN-2686-1
http://svn.apache.org/viewvc?view=revision&revision=1684525
https://www.apache.org/dist/httpd/Announcement2.4.txt
https://www.apache.org/dist/httpd/CHANGES_2.4.16
http://www.apache.org/dist/httpd/CHANGES_2.4
http://www.debian.org/security/2015/dsa-3325
http://www.securityfocus.com/bid/75965
http://www.securitytracker.com/id/1032967
http://www.ubuntu.com/usn/USN-2686-1
1243888 https://bugzilla.redhat.com/show_bug.cgi?id=1243888
cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.13:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:2.4.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.8:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:2.4.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*
cpe:2.3:a:apple:xcode:7.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apple:xcode:7.0:*:*:*:*:*:*:*
cpe:2.3:o:apple:mac_os_x:10.10.4:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:apple:mac_os_x:10.10.4:*:*:*:*:*:*:*
cpe:2.3:o:apple:mac_os_x_server:5.0.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:apple:mac_os_x_server:5.0.3:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
CVE-2015-3185 https://httpd.apache.org/security/json/CVE-2015-3185.json
CVE-2015-3185 https://nvd.nist.gov/vuln/detail/CVE-2015-3185
RHSA-2015:1666 https://access.redhat.com/errata/RHSA-2015:1666
RHSA-2015:1667 https://access.redhat.com/errata/RHSA-2015:1667
RHSA-2016:2957 https://access.redhat.com/errata/RHSA-2016:2957
USN-2686-1 https://usn.ubuntu.com/2686-1/
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-3185.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2015-3185
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.73055
EPSS Score 0.00368
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.