CVE-2015-7519 — Vulnetix

Try Vulnetix Request Demo

CVE-2015-7519 REJECTED

agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header.

EPSS 0.36% · 58.0th percentile

Risk Scores

EPSS Score

0.36%

58.0th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:16.04:LTS	passenger	0, 5.0.7-3

Timeline

Jan 8, 2016 CVE Published
Jun 28, 2018 CVE Updated
Feb 4, 2022 EPSS Score
Mar 28, 2022 EPSS Score
May 19, 2022 EPSS Score
Jul 10, 2022 EPSS Score
Sep 1, 2022 EPSS Score
Dec 14, 2022 EPSS Score
Feb 4, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Mar 28, 2023 EPSS Score
May 19, 2023 EPSS Score

References

https://ubuntu.com/security/CVE-2015-7519 third-party-advisory
https://bugzilla.suse.com/show_bug.cgi?id=956281 third-party-advisory
https://github.com/phusion/passenger/commit/ddb8ecc4ebf260e4967f57f271d4f5761abeac3e third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2015-7519 third-party-advisory

Open in Interactive Console →