CVE-2013-5704

CWE-287 — Improper Authentication12 documents9 sources

Severity

5.0MEDIUM

EPSS

64.7%

top 1.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple MAC OS X Apple MAC OS X Server Oracle Enterprise Manager OPS Center +12 more

Timeline

PublishedApr 15

Latest updateMay 13

Description

The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages13 packages

▶NVDapache/http_server34 versions+33

▶NVDoracle/http_server4 versions+3

▶NVDredhat/jboss_enterprise_web_server2.0.0, 3.0.0+1

▶NVDapple/mac_os_x_server< 5.0.3

▶Debianapache2< 2.4.10-2+3

Also affects: Ubuntu Linux 10.04, 12.04, 14.04, 14.10, Enterprise Linux 7.3, 7.4, 7.5, 7.6, 7.7

Patches

Patch: svn.apache.org ↗Patch: svn.apache.org ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

GHSA

GHSA-gwg2-5774-jpjm: The mod_headers module in the Apache HTTP Server 2↗2022-05-13

▶

OSV

apache2 vulnerabilities↗2015-03-10

▶

OSV

CVE-2013-5704: The mod_headers module in the Apache HTTP Server 2↗2014-04-15

▶

CVEList

CVE-2013-5704: The mod_headers module in the Apache HTTP Server 2↗2014-04-15

▶

📋Vendor Advisories

Ubuntu

Apache HTTP Server vulnerabilities↗2015-03-10

▶

Red Hat

httpd: bypass of mod_headers rules via chunked requests↗2013-10-19

▶

Debian

CVE-2013-5704: apache2 - The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers ...↗2013

▶

Apple

CVE-2013-5704: OS X Server v5.0.3↗

▶

Apple

CVE-2013-5704: OS X Yosemite v10.10.3 and Security Update 2015-004↗

▶

💬Community

Bugzilla

CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests↗2014-04-01

▶

Bugzilla

CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests [fedora-all]↗2014-04-01

▶