CVE-2013-2503
published 2013-03-11CVE-2013-2503: Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for…
PriorityP336medium5.8CVSS 2.0
AVNACMAuNCPIPAN
EXPLOIT
EPSS
4.63%
90.6th percentile
Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code.
Affected
34 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | privoxy | < privoxy 3.0.21-1 (bookworm) | privoxy 3.0.21-1 (bookworm) |
| privoxy | privoxy | <= 3.0.20 | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
| privoxy | privoxy | — | — |
CVSS provenance
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv5.8MEDIUM
vendor_debian5.8LOW
vendor_redhat5.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xwv2-6j43-gjcx: Privoxy before 3
ghsa_unreviewed·2022-05-17
CVE-2013-2503 [MEDIUM] CWE-20 GHSA-xwv2-6j43-gjcx: Privoxy before 3
Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code.
OSV
CVE-2013-2503: Privoxy before 3
osv·2013-03-11·CVSS 5.8
CVE-2013-2503 [MEDIUM] CVE-2013-2503: Privoxy before 3
Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code.
Red Hat
privoxy: Proxy-Authentication response spoofing
vendor_redhat·2013-03-11·CVSS 5.8
CVE-2013-2503 [MEDIUM] privoxy: Proxy-Authentication response spoofing
privoxy: Proxy-Authentication response spoofing
Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code.
Package: privoxy (Red Hat Enterprise Linux 5) - Will not fix
Debian
CVE-2013-2503: privoxy - Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Auth...
vendor_debian·2013·CVSS 5.8
CVE-2013-2503 [MEDIUM] CVE-2013-2503: privoxy - Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Auth...
Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code.
Scope: local
bookworm: resolved (fixed in 3.0.21-1)
bullseye: resolved (fixed in 3.0.21-1)
forky: resolved (fixed in 3.0.21-1)
sid: resolved (fixed in 3.0.21-1)
trixie: resolved (fixed in 3.0.21-1)
No detection rules found.
Bugzilla
CVE-2013-2503 privoxy: Proxy-Authentication response spoofing
bugzilla·2013-03-12·CVSS 5.8
CVE-2013-2503 [MEDIUM] CVE-2013-2503 privoxy: Proxy-Authentication response spoofing
CVE-2013-2503 privoxy: Proxy-Authentication response spoofing
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-2503 to the following vulnerability:
Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code.
References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2503
[2] http://blog.c22.cc/2013/03/11/privoxy-proxy-authentication-credential-exposure-cve-2013-2503/
[3] http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/ChangeLog?revision=1.188&view=markup
Discussion:
This issue affects the version of the privoxy package, as shipped
Bugzilla
CVE-2013-2503 privoxy: Proxy-Authentication response spoofing [epel-6]
bugzilla·2013-03-12·CVSS 5.8
CVE-2013-2503 [MEDIUM] CVE-2013-2503 privoxy: Proxy-Authentication response spoofing [epel-6]
CVE-2013-2503 privoxy: Proxy-Authentication response spoofing [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-6 tracking bug for privo
Bugzilla
CVE-2013-2503 privoxy: Proxy-Authentication response spoofing [fedora-all]
bugzilla·2013-03-12·CVSS 5.8
CVE-2013-2503 [MEDIUM] CVE-2013-2503 privoxy: Proxy-Authentication response spoofing [fedora-all]
CVE-2013-2503 privoxy: Proxy-Authentication response spoofing [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affect
http://blog.c22.cc/2013/03/11/privoxy-proxy-authentication-credential-exposure-cve-2013-2503/http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/ChangeLog?revision=1.188&view=markuphttp://lists.opensuse.org/opensuse-updates/2013-03/msg00118.htmlhttp://blog.c22.cc/2013/03/11/privoxy-proxy-authentication-credential-exposure-cve-2013-2503/http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/ChangeLog?revision=1.188&view=markuphttp://lists.opensuse.org/opensuse-updates/2013-03/msg00118.html
2013-03-11
Published