⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.
CVE-2017-15715
Severity
8.1HIGH
EPSS
94.1%
top 0.09%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedMar 26
Latest updateMay 13
Description
In Apache httpd 2.4.0 to 2.4.29, the expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.
CVSS vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9
Affected Packages3 packages
Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 17.10, 18.04, Enterprise Linux 6.0, 7.0, 7.4, 7.5, 7.6
🔴Vulnerability Details
6💥Exploits & PoCs
2Nuclei▶
Apache httpd <=2.4.29 - Arbitrary File Upload
📋Vendor Advisories
4Debian▶
CVE-2017-15715: apache2 - In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could ...↗2017