CVE-2017-15715
8.1
HIGH
CVSS 3.1
EPSS 93.6%
Description
In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.
How to fix CVE-2017-15715
To remediate CVE-2017-15715, upgrade the affected package to a fixed version below.
- —upgrade to 2.4.33-r0 or later
- —upgrade to 2.4.33-1 or later
Is CVE-2017-15715 being exploited?
Likely — EPSS is 93.6%, placing CVE-2017-15715 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (2)
- from 0, < 2.4.33-r0
- from 0, < 2.4.33-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |