Unrated severityNVD Advisory· Published Mar 26, 2018· Updated Sep 17, 2024
CVE-2017-15715
CVE-2017-15715
Description
In Apache httpd 2.4.0 to 2.4.29, the expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.
Affected products
12- osv-coords11 versionspkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/apache2&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/apache2&distro=SUSE%20OpenStack%20Cloud%207
< 2.4.16-20.16.1+ 10 more
- (no CPE)range: < 2.4.16-20.16.1
- (no CPE)range: < 2.4.23-29.18.2
- (no CPE)range: < 2.4.23-29.18.2
- (no CPE)range: < 2.4.23-29.18.2
- (no CPE)range: < 2.4.10-14.31.1
- (no CPE)range: < 2.4.16-20.16.1
- (no CPE)range: < 2.4.23-29.18.2
- (no CPE)range: < 2.4.23-29.18.2
- (no CPE)range: < 2.4.23-29.18.2
- (no CPE)range: < 2.4.16-20.16.1
- (no CPE)range: < 2.4.23-29.18.2
- Apache Software Foundation/Apache HTTP Serverv5Range: 2.4.0 to 2.4.29
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
27- access.redhat.com/errata/RHSA-2018:3558mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2019:0366mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2019:0367mitrevendor-advisoryx_refsource_REDHAT
- usn.ubuntu.com/3627-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/3627-2/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2018/dsa-4164mitrevendor-advisoryx_refsource_DEBIAN
- www.openwall.com/lists/oss-security/2018/03/24/6mitremailing-listx_refsource_MLIST
- www.securityfocus.com/bid/103525mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1040570mitrevdb-entryx_refsource_SECTRACK
- httpd.apache.org/security/vulnerabilities_24.htmlmitrex_refsource_CONFIRM
- lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
- security.elarlang.eu/cve-2017-15715-apache-http-server-filesmatch-bypass-with-a-trailing-newline-at-the-end-of-the-file-name.htmlmitrex_refsource_MISC
- security.netapp.com/advisory/ntap-20180601-0004/mitrex_refsource_CONFIRM
- support.hpe.com/hpsc/doc/public/displaymitrex_refsource_CONFIRM
- www.tenable.com/security/tns-2019-09mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.