GHSA-fxwv-953p-7qpf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fxwv-953p-7qpf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-fxwv-953p-7qpf/GHSA-fxwv-953p-7qpf.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-fxwv-953p-7qpf
- Aliases
- Published
- 2018-10-10T17:29:13Z
- Modified
- 2024-02-22T05:28:48.557879Z
- Severity
-
- 3.7 (Low) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Phusion Passenger allows remote attackers to spoof headers
- Details
-
agent/Core/Controller/SendRequest.cppin Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an_(underscore) character instead of a-(dash) character in an HTTP header, as demonstrated by anX_Userheader. - Database specific
{ "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "severity": "LOW", "nvd_published_at": null, "github_reviewed_at": "2020-06-16T21:35:50Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2015-7519
- https://github.com/phusion/passenger/commit/ddb8ecc4ebf260e4967f57f271d4f5761abeac3e
- https://blog.phusion.nl/2015/12/07/cve-2015-7519
- https://bugzilla.suse.com/show_bug.cgi?id=956281
- https://github.com/advisories/GHSA-fxwv-953p-7qpf
- https://github.com/phusion/passenger
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2015-7519.yml
- https://lists.debian.org/debian-lts-announce/2018/06/msg00007.html
- https://web.archive.org/web/20220327073056/https://www.puppet.com/security/cve/passenger-dec-2015-security-fixes
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00024.html
- http://www.openwall.com/lists/oss-security/2015/12/07/1
- http://www.openwall.com/lists/oss-security/2015/12/07/2
Affected packages
RubyGems / passenger
Package
- Name
- passenger
- Purl
- pkg:gem/passenger
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.0.60
Affected versions
1.*
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
2.*
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.1.2
2.1.3
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
3.*
3.0.0.pre1
3.0.0.pre2
3.0.0.pre3
3.0.0.pre4
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.17
3.0.18
3.0.19
3.0.21
3.9.1.beta
3.9.2.beta
4.*
4.0.0.rc4
4.0.0.rc6
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.10
4.0.13
4.0.14
4.0.16
4.0.17
4.0.18
4.0.19
4.0.20
4.0.21
4.0.23
4.0.24
4.0.25
4.0.26
4.0.27
4.0.28
4.0.29
4.0.30
4.0.31
4.0.32
4.0.33
4.0.34
4.0.35
4.0.36
4.0.37
4.0.38
4.0.39
4.0.40
4.0.41
4.0.42
4.0.43
4.0.44
4.0.45
4.0.46
4.0.48
4.0.49
4.0.50
4.0.51
4.0.52
4.0.53
4.0.55
4.0.56
4.0.57
4.0.58
4.0.59
RubyGems / passenger
Package
- Name
- passenger
- Purl
- pkg:gem/passenger