Lucene search

[email protected]NVD:CVE-2015-7519

HistoryJan 08, 2016 - 7:59 p.m.

CVE-2015-7519

2016-01-0819:59:05

CWE-20

[email protected]

web.nvd.nist.gov

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

4.1 Medium

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

80.8%

JSON

agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header.

Affected configurations

NVD

Node

phusionpassengerphusion_passengerRange≤4.0.59

phusionpassengerphusion_passengerMatch5.0.0

phusionpassengerphusion_passengerMatch5.0.0beta1

phusionpassengerphusion_passengerMatch5.0.0beta2

phusionpassengerphusion_passengerMatch5.0.0beta3

phusionpassengerphusion_passengerMatch5.0.0rc1

phusionpassengerphusion_passengerMatch5.0.0rc2

phusionpassengerphusion_passengerMatch5.0.1

phusionpassengerphusion_passengerMatch5.0.2

phusionpassengerphusion_passengerMatch5.0.3

phusionpassengerphusion_passengerMatch5.0.4

phusionpassengerphusion_passengerMatch5.0.5

phusionpassengerphusion_passengerMatch5.0.6

phusionpassengerphusion_passengerMatch5.0.7

phusionpassengerphusion_passengerMatch5.0.8

phusionpassengerphusion_passengerMatch5.0.9

phusionpassengerphusion_passengerMatch5.0.10

phusionpassengerphusion_passengerMatch5.0.11

phusionpassengerphusion_passengerMatch5.0.12

phusionpassengerphusion_passengerMatch5.0.13

phusionpassengerphusion_passengerMatch5.0.14

phusionpassengerphusion_passengerMatch5.0.15

phusionpassengerphusion_passengerMatch5.0.16

phusionpassengerphusion_passengerMatch5.0.17

phusionpassengerphusion_passengerMatch5.0.18

phusionpassengerphusion_passengerMatch5.0.19

phusionpassengerphusion_passengerMatch5.0.20

phusionpassengerphusion_passengerMatch5.0.21

References

lists.opensuse.org/opensuse-security-announce/2015-12/msg00024.html

www.openwall.com/lists/oss-security/2015/12/07/1

www.openwall.com/lists/oss-security/2015/12/07/2

blog.phusion.nl/2015/12/07/cve-2015-7519/

bugzilla.suse.com/show_bug.cgi?id=956281

github.com/phusion/passenger/commit/ddb8ecc4ebf260e4967f57f271d4f5761abeac3e

lists.debian.org/debian-lts-announce/2018/06/msg00007.html

puppet.com/security/cve/passenger-dec-2015-security-fixes

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

4.1 Medium

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

80.8%

JSON

Related for NVD:CVE-2015-7519

suse1 osv2 cvelist1 openvas3 github1 debiancve1 cve1 freebsd1 debian2 nessus3 ubuntucve1 prion1