CVE-2013-5704

Опубликовано: 15 апр. 2014

Источник: nvd

CVSS2: 5

EPSS Высокий

Описание

The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

Ссылки

http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html
Mailing List
Third Party Advisory
http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html
Mailing List
Third Party Advisory
http://marc.info/?l=apache-httpd-dev&m=139636309822854&w=2
Mailing List
Third Party Advisory
http://marc.info/?l=bugtraq&m=143403519711434&w=2
Issue Tracking
Mailing List
Third Party Advisory
http://marc.info/?l=bugtraq&m=143403519711434&w=2
Issue Tracking
Mailing List
Third Party Advisory
http://marc.info/?l=bugtraq&m=144493176821532&w=2
Issue Tracking
Mailing List
Third Party Advisory
http://marc.info/?l=bugtraq&m=144493176821532&w=2
Issue Tracking
Mailing List
Third Party Advisory
http://martin.swende.se/blog/HTTPChunked.html
Broken Link
Exploit
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-0325.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-1249.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-2661.html
Broken Link
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-0061.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-0062.html
Third Party Advisory
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/CHANGES
Release Notes
Vendor Advisory
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c
Patch
Vendor Advisory
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=1610674&r2=1610814&diff_format=h
Patch
Vendor Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2014:174
Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:http_server:2.2.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.19:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.20:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.21:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.22:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.23:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.24:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.25:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.26:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.27:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*

Конфигурация 2

Одно из

cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_eus:7.3:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

Конфигурация 3

Одновременно

cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*

Одно из

cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

Конфигурация 4

Одновременно

cpe:2.3:a:redhat:jboss_enterprise_web_server:2.0.0:*:*:*:*:*:*:*

Одно из

cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

Конфигурация 5

Одно из

cpe:2.3:a:oracle:enterprise_manager_ops_center:*:*:*:*:*:*:*:*

Версия до 12.1.4 (исключая)

cpe:2.3:a:oracle:enterprise_manager_ops_center:12.1.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:http_server:10.1.3.5.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:http_server:11.1.1.7.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:http_server:12.1.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:http_server:12.1.3.0:*:*:*:*:*:*:*

cpe:2.3:o:oracle:linux:6:-:*:*:*:*:*:*

cpe:2.3:o:oracle:solaris:11.2:*:*:*:*:*:*:*

Конфигурация 6

Одно из

cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*

Версия до 10.10.4 (исключая)

cpe:2.3:o:apple:mac_os_x_server:*:*:*:*:*:*:*:*

Версия до 5.0.3 (исключая)

Конфигурация 7

Одно из

cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*

EPSS

Процентиль: 99%

0.8475

Высокий

5 Medium

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

CVE-2013-5704

ubuntu

больше 11 лет назад

CVE-2013-5704

redhat

почти 12 лет назад

CVE-2013-5704

debian

больше 11 лет назад

The mod_headers module in the Apache HTTP Server 2.2.22 allows remote ...

GHSA-gwg2-5774-jpjm

github

больше 3 лет назад

ELSA-2015-1249

oracle-oval

около 10 лет назад

ELSA-2015-1249: httpd security, bug fix, and enhancement update (LOW)

EPSS

Процентиль: 99%

0.8475

Высокий

5 Medium

CVSS2

Дефекты

NVD-CWE-noinfo