Описание
The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.
Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | httpd | Affected | ||
| Red Hat Directory Server 8 | httpd | Will not fix | ||
| Red Hat Enterprise Linux 4 | httpd | Will not fix | ||
| Red Hat Enterprise Linux 5 | httpd | Will not fix | ||
| Red Hat JBoss Enterprise Web Server 1 | httpd | Will not fix | ||
| Red Hat Enterprise Linux 6 | httpd | Fixed | RHSA-2015:1668 | 24.08.2015 |
| Red Hat Enterprise Linux 7 | httpd | Fixed | RHSA-2015:1667 | 24.08.2015 |
| Red Hat JBoss Enterprise Application Platform 6.4 | Fixed | RHSA-2016:2056 | 12.10.2016 | |
| Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 | hornetq-native | Fixed | RHSA-2016:2055 | 12.10.2016 |
| Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 | httpd | Fixed | RHSA-2016:2055 | 12.10.2016 |
Показывать по
Дополнительная информация
Статус:
EPSS
3.7 Low
CVSS3
2.6 Low
CVSS2
Связанные уязвимости
The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.
The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.
The chunked transfer coding implementation in the Apache HTTP Server b ...
EPSS
3.7 Low
CVSS3
2.6 Low
CVSS2