5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
httpd is vulnerable to HTTP request smuggling attacks. The vulnerability exists as the chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.
httpd.apache.org/security/vulnerabilities_24.html
kb.juniper.net/InfoCenter/index?page=content&id=JSA10735
lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
lists.apple.com/archives/security-announce/2015/Sep/msg00004.html
lists.opensuse.org/opensuse-updates/2015-10/msg00011.html
marc.info/?l=bugtraq&m=144493176821532&w=2
rhn.redhat.com/errata/RHSA-2015-1666.html
rhn.redhat.com/errata/RHSA-2015-1667.html
rhn.redhat.com/errata/RHSA-2015-1668.html
rhn.redhat.com/errata/RHSA-2015-2661.html
rhn.redhat.com/errata/RHSA-2016-0061.html
rhn.redhat.com/errata/RHSA-2016-0062.html
rhn.redhat.com/errata/RHSA-2016-2054.html
rhn.redhat.com/errata/RHSA-2016-2055.html
rhn.redhat.com/errata/RHSA-2016-2056.html
www.apache.org/dist/httpd/CHANGES_2.4
www.debian.org/security/2015/dsa-3325
www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
www.securityfocus.com/bid/75963
www.securityfocus.com/bid/91787
www.securitytracker.com/id/1032967
www.ubuntu.com/usn/USN-2686-1
access.redhat.com/errata/RHSA-2015:2659
access.redhat.com/errata/RHSA-2015:2660
access.redhat.com/security/updates/classification/#moderate
github.com/apache/httpd/commit/a6027e56924bb6227c1fdbf6f91e7e2438338be6
github.com/apache/httpd/commit/e427c41257957b57036d5a549b260b6185d1dd73
h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04832246
h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04926789
lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/r83109088737656fa6307bd99ab40f8ff0269ae58d3f7272d7048494a@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E
puppet.com/security/cve/CVE-2015-3183
rhn.redhat.com/errata/RHSA-2015-1668.html
security.gentoo.org/glsa/201610-02
support.apple.com/HT205219
support.apple.com/kb/HT205031