CVE-2015-3183 — Improper Input Validation in Apache Http Server

CWE-17 CWE-20 — Improper Input Validation CWE-172 — Encoding Error12 documents9 sources

Severity

5.0MEDIUMNVD

EPSS

28.3%

top 3.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server

Timeline

PublishedJul 20

Latest updateMay 13

Description

The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDapache/http_server2.2.0 — 2.2.31+1

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-892q-vvcr-v6j5: The chunked transfer coding implementation in the Apache HTTP Server before 2↗2022-05-13

▶

OSV

apache2 vulnerabilities↗2015-07-27

▶

CVEList

CVE-2015-3183: The chunked transfer coding implementation in the Apache HTTP Server before 2↗2015-07-20

▶

OSV

CVE-2015-3183: The chunked transfer coding implementation in the Apache HTTP Server before 2↗2015-07-20

▶

📋Vendor Advisories

Ubuntu

Apache HTTP Server vulnerabilities↗2015-07-27

▶

Red Hat

httpd: HTTP request smuggling attack against chunked request parser↗2015-07-15

▶

Debian

CVE-2015-3183: apache2 - The chunked transfer coding implementation in the Apache HTTP Server before 2.4....↗2015

▶

Apple

CVE-2015-3183: OS X Server v5.0.3↗

▶

Apple

CVE-2015-3183: OS X Yosemite v10.10.5 and Security Update 2015-006↗

▶

💬Community

Bugzilla

CVE-2015-3185 CVE-2015-3183 CVE-2015-0253 httpd: various flaws [fedora-all]↗2015-07-16

▶

Bugzilla

CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser↗2015-07-16

▶