Vulnerability Name:

CVE-2015-3185 (CCN-104845)

Assigned:2015-07-15
Published:2015-07-15
Updated:2021-06-06
Summary:The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.
CVSS v3 Severity:3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
3.2 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
3.7 Low (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
3.2 Low (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
2.6 Low (REDHAT CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-264
CWE-287
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2015-3185

Source: CCN
Type: Apache Web site
Apache httpd 2.4 vulnerabilities

Source: CONFIRM
Type: Vendor Advisory
http://httpd.apache.org/security/vulnerabilities_24.html

Source: APPLE
Type: UNKNOWN
APPLE-SA-2015-08-13-2

Source: APPLE
Type: UNKNOWN
APPLE-SA-2015-09-16-2

Source: APPLE
Type: UNKNOWN
APPLE-SA-2015-09-16-4

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2015:1684

Source: REDHAT
Type: UNKNOWN
RHSA-2015:1666

Source: REDHAT
Type: UNKNOWN
RHSA-2015:1667

Source: CCN
Type: RHSA-2016-2957
Important: Red Hat JBoss Core Services Apache HTTP 2.4.23 Release

Source: REDHAT
Type: UNKNOWN
RHSA-2016:2957

Source: CONFIRM
Type: UNKNOWN
http://www.apache.org/dist/httpd/CHANGES_2.4

Source: DEBIAN
Type: UNKNOWN
DSA-3325

Source: CCN
Type: IBM Security Bulletin T1023775 (PowerKVM)
Vulnerabilities in the Apache HTTP Server affect PowerKVM (CVE-2015-3183,CVE-2015-3185)

Source: BID
Type: UNKNOWN
75965

Source: CCN
Type: BID-75965
Apache HTTP Server CVE-2015-3185 Security Bypass Vulnerability

Source: SECTRACK
Type: UNKNOWN
1032967

Source: UBUNTU
Type: UNKNOWN
USN-2686-1

Source: REDHAT
Type: UNKNOWN
RHSA-2017:2708

Source: REDHAT
Type: UNKNOWN
RHSA-2017:2709

Source: REDHAT
Type: UNKNOWN
RHSA-2017:2710

Source: XF
Type: UNKNOWN
apache-cve20153185-unspec(104845)

Source: CONFIRM
Type: UNKNOWN
https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708

Source: CONFIRM
Type: UNKNOWN
https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210606 svn commit: r1075467 [2/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073139 [9/13] - in /websites/staging/httpd/trunk/content: ./ security/json/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073149 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/

Source: CONFIRM
Type: UNKNOWN
https://support.apple.com/HT205217

Source: CONFIRM
Type: UNKNOWN
https://support.apple.com/HT205219

Source: CONFIRM
Type: UNKNOWN
https://support.apple.com/kb/HT205031

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2015-3185

Vulnerable Configuration:Configuration 1:
  • cpe:/o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

    • Configuration 2:
  • cpe:/a:apache:http_server:2.4.12:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.13:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.9:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.4:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.6:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.10:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.7:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.8:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:apple:mac_os_x_server:5.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:xcode:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.10.4:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apache:http_server:2.4.7:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.8:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.9:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.10:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.12:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:powerkvm:2.1:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_core_services:2.4.6:*:*:*:apache_http_server:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20153185
    V
    		CVE-2015-3185
    2022-09-02
    oval:org.opensuse.security:def:40585
    P
    		Security update for mozilla-nss (Important)
    2021-12-06
    oval:org.opensuse.security:def:19619
    P
    		Security update for the Linux Kernel (Important)
    2021-12-02
    oval:org.opensuse.security:def:16625
    P
    		obs-service-source_validator-0.7-9.3.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:16540
    P
    		libmusicbrainz-devel-2.1.5-27.79 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:16498
    P
    		libcdio++0-0.90-6.3.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:16506
    P
    		libexif-devel-0.6.21-8.3.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:16713
    P
    		dovecot22-devel-2.2.31-19.17.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:16682
    P
    		PackageKit-devel-1.1.3-24.9.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:16982
    P
    		wireshark-devel-2.4.16-48.51.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:16960
    P
    		quagga-devel-1.1.1-17.7.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:16891
    P
    		libspice-server-devel-0.12.8-12.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:16948
    P
    		php7-devel-7.0.7-50.85.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:16859
    P
    		libopus-devel-1.1-3.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:16749
    P
    		gstreamer-plugins-bad-devel-1.8.3-17.2 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:40255
    P
    		Security update for java-1_7_1-ibm (Important)
    2020-12-01
    oval:org.opensuse.security:def:17646
    P
    		Security update for apache2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:40151
    P
    		Security update for Linux Kernel Live Patch 12 for SLE 12 SP1 (Important)
    2020-12-01
    oval:org.opensuse.security:def:41053
    P
    		Security update for tomcat (Important)
    2020-12-01
    oval:org.opensuse.security:def:40927
    P
    		Security update for libgcrypt (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:18716
    P
    		Security update for spice-gtk (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:40163
    P
    		Security update for xen (Important)
    2020-12-01
    oval:org.opensuse.security:def:17620
    P
    		Security update for libwmf (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:41024
    P
    		Security update for sqlite3 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:40863
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:18678
    P
    		Security update for dovecot22 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:40152
    P
    		Security update for Linux Kernel Live Patch 13 for SLE 12 SP1 (Important)
    2020-12-01
    oval:org.opensuse.security:def:40979
    P
    		Security update for the Linux Kernel (Live Patch 22 for SLE 12 SP2) (Important)
    2020-12-01
    oval:org.opensuse.security:def:40687
    P
    		Security update for MozillaFirefox (Important)
    2020-12-01
    oval:org.opensuse.security:def:18644
    P
    		Security update for postgresql10 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:19593
    P
    		Security update for openssh (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:18586
    P
    		Security update for libvirt (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:41787
    P
    		Security update for apache2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:18955
    P
    		Security update for libssh2_org (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:40516
    P
    		Security update for cups (Important)
    2020-12-01
    oval:org.opensuse.security:def:18500
    P
    		Security update for glibc (Important)
    2020-12-01
    oval:org.opensuse.security:def:41742
    P
    		Security update for libqt5-qtbase (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:18457
    P
    		Security update for curl (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:18931
    P
    		Security update for freerdp (Important)
    2020-12-01
    oval:org.opensuse.security:def:18861
    P
    		Security update for dovecot22 (Important)
    2020-12-01
    oval:org.opensuse.security:def:40407
    P
    		Security update for git (Important)
    2020-12-01
    oval:org.opensuse.security:def:18465
    P
    		Security update for krb5 (Important)
    2020-12-01
    oval:org.opensuse.security:def:41104
    P
    		Security update for LibVNCServer (Important)
    2020-12-01
    oval:org.opensuse.security:def:18919
    P
    		Security update for openssl-1_1 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:18828
    P
    		Security update for curl (Important)
    2020-12-01
    oval:org.cisecurity:def:183
    P
    		DSA-3325-1 -- apache2 -- security update
    2016-02-08
    oval:com.redhat.rhsa:def:20151667
    P
    		RHSA-2015:1667: httpd security update (Moderate)
    2015-08-24
    oval:com.ubuntu.precise:def:20153185000
    V
    		CVE-2015-3185 on Ubuntu 12.04 LTS (precise) - medium.
    2015-07-20
    oval:com.ubuntu.trusty:def:20153185000
    V
    		CVE-2015-3185 on Ubuntu 14.04 LTS (trusty) - medium.
    2015-07-20
    BACK
    canonical ubuntu linux 12.04
    canonical ubuntu linux 15.04
    canonical ubuntu linux 14.04
    apache http server 2.4.12
    apache http server 2.4.13
    apache http server 2.4.9
    apache http server 2.4.2
    apache http server 2.4.3
    apache http server 2.4.0
    apache http server 2.4.4
    apache http server 2.4.6
    apache http server 2.4.1
    apache http server 2.4.10
    apache http server 2.4.7
    apache http server 2.4.8
    apple mac os x server 5.0.3
    apple xcode 7.0
    apple mac os x 10.10.4
    apache http server 2.4.7
    apache http server 2.4.8
    apache http server 2.4.9
    apache http server 2.4.10
    apache http server 2.4.12
    ibm powerkvm 2.1
    redhat jboss core services 2.4.6