CVE-2015-7519
Phusion Passenger allows remote attackers to spoof headers
3.7
LOW
CVSS 3.1
EPSS 0.36%
Description
agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header.
How to fix CVE-2015-7519
To remediate CVE-2015-7519, upgrade the affected package to a fixed version below.
- —upgrade to 5.0.22-1 or later
- —upgrade to 2.2.11debian-2+deb6u1 or later
- —upgrade to 4.0.53-1+deb8u1 or later
- —upgrade to 4.0.60 or later
Is CVE-2015-7519 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 5.0.22-1
- from 0, < 2.2.11debian-2+deb6u1
- from 0, < 4.0.53-1+deb8u1
- from 0, < 4.0.60
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.7 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |