GHSA-fxwv-953p-7qpf

Suggest an improvement
Source
https://github.com/advisories/GHSA-fxwv-953p-7qpf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-fxwv-953p-7qpf/GHSA-fxwv-953p-7qpf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-fxwv-953p-7qpf
Aliases
Published
2018-10-10T17:29:13Z
Modified
2024-02-22T05:28:48.557879Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Phusion Passenger allows remote attackers to spoof headers
Details

agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header.

References

Affected packages

RubyGems / passenger

Package

Name
passenger
Purl
pkg:gem/passenger

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0.60

Affected versions

1.*

1.0.1
1.0.2
1.0.3
1.0.4
1.0.5

2.*

2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.1.2
2.1.3
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15

3.*

3.0.0.pre1
3.0.0.pre2
3.0.0.pre3
3.0.0.pre4
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.17
3.0.18
3.0.19
3.0.21
3.9.1.beta
3.9.2.beta

4.*

4.0.0.rc4
4.0.0.rc6
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.10
4.0.13
4.0.14
4.0.16
4.0.17
4.0.18
4.0.19
4.0.20
4.0.21
4.0.23
4.0.24
4.0.25
4.0.26
4.0.27
4.0.28
4.0.29
4.0.30
4.0.31
4.0.32
4.0.33
4.0.34
4.0.35
4.0.36
4.0.37
4.0.38
4.0.39
4.0.40
4.0.41
4.0.42
4.0.43
4.0.44
4.0.45
4.0.46
4.0.48
4.0.49
4.0.50
4.0.51
4.0.52
4.0.53
4.0.55
4.0.56
4.0.57
4.0.58
4.0.59

RubyGems / passenger

Package

Name
passenger
Purl
pkg:gem/passenger

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.22

Affected versions

5.*

5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.13
5.0.14
5.0.15
5.0.16
5.0.17
5.0.18
5.0.19
5.0.20
5.0.21