CVE-2015-3183
apache2 - security update
EPSS 24.1%
Description
The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.
How to fix CVE-2015-3183
To remediate CVE-2015-3183, upgrade the affected package to a fixed version below.
- Debian/apache2—upgrade to 2.4.16-1 or later
- Debian/apache2—upgrade to 2.2.16-6+squeeze15 or later
- —upgrade to 2.2.22-13+deb7u5 or later
Is CVE-2015-3183 being exploited?
Moderate — EPSS is 24.1%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (3)
- from 0, < 2.4.16-1
- from 0, < 2.2.16-6+squeeze15
- from 0, < 2.2.22-13+deb7u5