Описание
agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | 5.0.22-1 |
| esm-apps/xenial | not-affected | 5.0.22-1 |
| esm-infra-legacy/trusty | DNE | |
| precise | released | 2.2.11debian-2+deb6u1ubuntu12.04.1 |
| trusty | DNE | |
| trusty/esm | DNE | |
| upstream | released | 5.0.22-1 |
| vivid | DNE | |
| vivid/stable-phone-overlay | DNE | |
| vivid/ubuntu-core | DNE |
Показывать по
4.3 Medium
CVSS2
3.7 Low
CVSS3
Связанные уязвимости
agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header.
agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header.
agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0. ...
Phusion Passenger allows remote attackers to spoof headers
4.3 Medium
CVSS2
3.7 Low
CVSS3