CVE-2015-7519

Published Jan 8, 2016

Last updated 6 years ago

CVSS low 3.7

Overview

Description: agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header.
Source: secalert@redhat.com
NVD status: Modified

Risk scores

CVSS 3.0

Type: Primary
Base score: 3.7
Impact score: 1.4
Exploitability score: 2.2
Vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Severity: LOW

CVSS 2.0

Type: Primary
Base score: 4.3
Impact score: 2.9
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:N/I:P/A:N

Weaknesses

nvd@nist.gov: CWE-20

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "229C15B3-CA53-48D1-9C0D-AE5FE41DB898",
            "versionEndIncluding": "4.0.59"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "49C6BD64-D314-41DE-8568-18FAB1FE6E4B"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:beta1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AEAEA702-60D9-474A-9127-B32A04C3E981"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:beta2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "74275030-3672-4425-8A1E-E9316377BA92"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:beta3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8C44CEC2-F531-4983-81A7-8C983126F54A"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1ADB5A6B-ABE5-493D-A25C-F43AFD78FCB2"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:rc2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "547EAB56-1E4E-49FC-AD36-D91B1FABE33F"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E86EB4A2-7265-4EC7-B04B-06F74F34642A"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C0A42C4C-6236-4C2B-BC50-9AAFA2AA26BC"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "12A071DA-2404-478C-A95F-0DEFFECE4B6A"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3E0F970E-9293-4831-812B-BD59D3D34B82"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C441FB72-3D18-43F0-A6C7-CC9BC03FA793"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.6:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A5BE194B-B89E-4D30-9693-4A14354AD0FF"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.7:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EC919748-014D-482C-9CF2-67436D1E6656"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.8:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "62A3F5AC-196E-4EA9-8FE1-93003B337965"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.9:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "442AE25D-A167-4AB2-8898-AFCFF562A1F6"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.10:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3DE44E1C-AEB8-425B-8277-D78258154D01"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.11:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4E596EE5-C311-4A50-A68F-936BFF771FBE"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.12:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "61400E33-7833-4EEF-AA33-5585290D8B68"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.13:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B6973554-36EB-43D4-BDC7-52B742EAFFFE"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.14:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "894F0827-8924-46FD-83C5-F9E2CB756578"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.15:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1007D5F9-B8D4-4283-9BF0-A5EF187861DB"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.16:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FEFBB8A4-F7B9-464F-83B0-B407DD54FC85"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.17:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2ED09D90-5A43-4FFD-9F0E-1E31F56AEB5E"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.18:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "741FF5DB-1BB1-4E3F-A358-4F6FBDCB9DFE"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.19:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3F854688-6812-48B1-8873-45B206308791"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.20:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "81BDF312-8324-406D-AB4D-0FF55E7B73F6"
          },
          {
            "criteria": "cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.21:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4F7278BD-6278-402C-B941-FD8C8A72E88C"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.0

CVSS 2.0

Weaknesses

Social media

Configurations

References