8.1
CVE-2017-15715
- EPSS 94.17%
- Published 26.03.2018 15:29:00
- Last modified 21.11.2024 03:15:04
- Source security@apache.org
- Teams watchlist Login
- Open Login
In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.
Data is provided by the National Vulnerability Database (NVD)
Apache ≫ HTTP Server Version >= 2.4.0 <= 2.4.29
Debian ≫ Debian Linux Version8.0
Debian ≫ Debian Linux Version9.0
Canonical ≫ Ubuntu Linux Version14.04 SwEditionlts
Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts
Canonical ≫ Ubuntu Linux Version17.10
Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts
Netapp ≫ Santricity Cloud Connector Version-
Netapp ≫ Storage Automation Store Version-
Netapp ≫ Storagegrid Version-
Netapp ≫ Clustered Data Ontap Version-
Redhat ≫ Enterprise Linux Version6.0
Redhat ≫ Enterprise Linux Version7.0
Redhat ≫ Enterprise Linux Version7.4
Redhat ≫ Enterprise Linux Version7.5
Redhat ≫ Enterprise Linux Version7.6
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 94.17% | 0.999 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 8.1 | 2.2 | 5.9 |
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.