Is CVE-2014-8109 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 22%.

What products does CVE-2014-8109 affect?

Tracked products affected include Ubuntu. Check the version you run to see whether it is affected.

How do I fix CVE-2014-8109?

Apply the vendor fix in your normal patch cycle. Upgrade affected products to a fixed version.

CVE-2014-8109

Q: What is CVE-2014-8109?

CVE-2014-8109 is a medium-severity software vulnerability (Incorrect authorization) with a CVSS score of 4.3. mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which

MEDIUM severity · CVSS 4.3 · Incorrect authorization

4.3CVSS MEDIUM

Summary

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.

Impact & exploitability

Attack vectorNetwork

Attack complexity—

Privileges required—

User interaction—

Confidentiality impactNone

Integrity impact—

Availability impactNone

Exploit probability (EPSS)22%

AV:N/AC:M/Au:N/C:N/I:P/A:N

Affected products we track (1)

Ubuntu

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

CVE-2014-8109

Summary

Impact & exploitability

Affected products we track (1)

Recommendation

Additional information