CVE-2015-3183

Description

The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.

References

http://httpd.apache.org/security/vulnerabilities_24.html

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735

http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html

http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html

http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html

http://marc.info/?l=bugtraq&m=144493176821532&w=2

http://rhn.redhat.com/errata/RHSA-2015-1666.html

http://rhn.redhat.com/errata/RHSA-2015-1667.html

http://rhn.redhat.com/errata/RHSA-2015-1668.html

http://rhn.redhat.com/errata/RHSA-2015-2661.html

http://rhn.redhat.com/errata/RHSA-2016-0061.html

http://rhn.redhat.com/errata/RHSA-2016-0062.html

http://rhn.redhat.com/errata/RHSA-2016-2054.html

http://rhn.redhat.com/errata/RHSA-2016-2055.html

http://rhn.redhat.com/errata/RHSA-2016-2056.html

http://www.apache.org/dist/httpd/CHANGES_2.4

http://www.debian.org/security/2015/dsa-3325

http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

http://www.securityfocus.com/bid/75963

http://www.securityfocus.com/bid/91787

http://www.securitytracker.com/id/1032967

http://www.ubuntu.com/usn/USN-2686-1

https://access.redhat.com/errata/RHSA-2015:2659

https://access.redhat.com/errata/RHSA-2015:2660

https://github.com/apache/httpd/commit/e427c41257957b57036d5a549b260b6185d1dd73

https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04832246

https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04926789

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://puppet.com/security/cve/CVE-2015-3183

https://security.gentoo.org/glsa/201610-02

https://support.apple.com/HT205219

https://support.apple.com/kb/HT205031

Details

Risk Information

CVSS v2.0