CVE-2015-7519

Publication date 8 January 2016

Last updated 25 August 2025

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

3.7 · Low

Score breakdown

Description

agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header.

Status

Package Ubuntu Release Status
passenger 16.04 LTS xenial
Not affected
15.10 wily Not in release
15.04 vivid Not in release
14.04 LTS trusty Not in release
12.04 LTS precise
Fixed 2.2.11debian-2+deb6u1ubuntu12.04.1

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
passenger

Severity score breakdown

Parameter Value
Base score 3.7 · Low
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact Low
Availability impact None
Vector CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

References

Other references