CVE-2015-7519

EPSS 0.36%
Veröffentlicht 08.01.2016 19:59:05
Zuletzt bearbeitet 12.04.2025 10:46:40
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 11

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Phusionpassenger ≫ Phusion Passenger Version <= 4.0.59

Phusionpassenger ≫ Phusion Passenger Version5.0.0

Phusionpassenger ≫ Phusion Passenger Version5.0.0 Updatebeta1

Phusionpassenger ≫ Phusion Passenger Version5.0.0 Updatebeta2

Phusionpassenger ≫ Phusion Passenger Version5.0.0 Updatebeta3

Phusionpassenger ≫ Phusion Passenger Version5.0.0 Updaterc1

Phusionpassenger ≫ Phusion Passenger Version5.0.0 Updaterc2

Phusionpassenger ≫ Phusion Passenger Version5.0.1

Phusionpassenger ≫ Phusion Passenger Version5.0.2

Phusionpassenger ≫ Phusion Passenger Version5.0.3

Phusionpassenger ≫ Phusion Passenger Version5.0.4

Phusionpassenger ≫ Phusion Passenger Version5.0.5

Phusionpassenger ≫ Phusion Passenger Version5.0.6

Phusionpassenger ≫ Phusion Passenger Version5.0.7

Phusionpassenger ≫ Phusion Passenger Version5.0.8

Phusionpassenger ≫ Phusion Passenger Version5.0.9

Phusionpassenger ≫ Phusion Passenger Version5.0.10

Phusionpassenger ≫ Phusion Passenger Version5.0.11

Phusionpassenger ≫ Phusion Passenger Version5.0.12

Phusionpassenger ≫ Phusion Passenger Version5.0.13

Phusionpassenger ≫ Phusion Passenger Version5.0.14

Phusionpassenger ≫ Phusion Passenger Version5.0.15

Phusionpassenger ≫ Phusion Passenger Version5.0.16

Phusionpassenger ≫ Phusion Passenger Version5.0.17

Phusionpassenger ≫ Phusion Passenger Version5.0.18

Phusionpassenger ≫ Phusion Passenger Version5.0.19

Phusionpassenger ≫ Phusion Passenger Version5.0.20

Phusionpassenger ≫ Phusion Passenger Version5.0.21

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.36%	0.576

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	3.7	2.2	1.4	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00024.html

http://www.openwall.com/lists/oss-security/2015/12/07/1

http://www.openwall.com/lists/oss-security/2015/12/07/2

https://blog.phusion.nl/2015/12/07/cve-2015-7519/

Vendor Advisory

https://bugzilla.suse.com/show_bug.cgi?id=956281

https://github.com/phusion/passenger/commit/ddb8ecc4ebf260e4967f57f271d4f5761abeac3e

https://lists.debian.org/debian-lts-announce/2018/06/msg00007.html

https://puppet.com/security/cve/passenger-dec-2015-security-fixes

https://nvd.nist.gov/vuln/detail/CVE-2015-7519

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2015-7519

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2015-7519

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2015-7519