Low severity3.7NVD Advisory· Published Jan 8, 2016· Updated Jun 17, 2026
CVE-2015-7519
CVE-2015-7519
Description
agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
passengerRubyGems | < 4.0.60 | 4.0.60 |
passengerRubyGems | >= 5.0.0, < 5.0.22 | 5.0.22 |
Affected products
33cpe:2.3:a:phusionpassenger:phusion_passenger:*:*:*:*:*:*:*:*+ 27 more
- cpe:2.3:a:phusionpassenger:phusion_passenger:*:*:*:*:*:*:*:*range: <=4.0.59
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:phusionpassenger:phusion_passenger:5.0.9:*:*:*:*:*:*:*
- ghsa-coords5 versionspkg:gem/passengerpkg:rpm/suse/rubygem-passenger&distro=SUSE%20Lifecycle%20Management%20Server%201.3pkg:rpm/suse/rubygem-passenger&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/rubygem-passenger&distro=SUSE%20Studio%20Onsite%201.3pkg:rpm/suse/rubygem-passenger&distro=SUSE%20WebYast%201.3
< 4.0.60+ 4 more
- (no CPE)range: < 4.0.60
- (no CPE)range: < 3.0.14-0.14.1
- (no CPE)range: < 5.0.18-6.1
- (no CPE)range: < 3.0.14-0.14.1
- (no CPE)range: < 3.0.14-0.14.1
Patches
Vulnerability mechanics
References
13- blog.phusion.nl/2015/12/07/cve-2015-7519/nvdVendor Advisory
- github.com/advisories/GHSA-fxwv-953p-7qpfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-7519ghsaADVISORY
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00024.htmlnvdWEB
- www.openwall.com/lists/oss-security/2015/12/07/1nvdWEB
- www.openwall.com/lists/oss-security/2015/12/07/2nvdWEB
- blog.phusion.nl/2015/12/07/cve-2015-7519ghsaWEB
- bugzilla.suse.com/show_bug.cginvdWEB
- github.com/phusion/passenger/commit/ddb8ecc4ebf260e4967f57f271d4f5761abeac3envdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2015-7519.ymlghsaWEB
- lists.debian.org/debian-lts-announce/2018/06/msg00007.htmlnvdWEB
- web.archive.org/web/20220327073056/https://www.puppet.com/security/cve/passenger-dec-2015-security-fixesghsaWEB
- puppet.com/security/cve/passenger-dec-2015-security-fixesnvd
News mentions
0No linked articles in our index yet.