CVE-2017-15715 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	HIGH	NONE	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Affected Products (NVD)

Vendor	Product	Version
apache	http_server	2.4.0 ≤ 𝑥 ≤ 2.4.29
debian	debian_linux	8.0
debian	debian_linux	9.0
canonical	ubuntu_linux	14.04
canonical	ubuntu_linux	16.04
canonical	ubuntu_linux	17.10
canonical	ubuntu_linux	18.04
netapp	santricity_cloud_connector	-
netapp	storage_automation_store	-
netapp	storagegrid	-
netapp	clustered_data_ontap	-
redhat	enterprise_linux	6.0
redhat	enterprise_linux	7.0
redhat	enterprise_linux	7.4
redhat	enterprise_linux	7.5
redhat	enterprise_linux	7.6

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

apache2

bookworm	2.4.62-1~deb12u1 fixed
bookworm (security)	2.4.62-1~deb12u2 fixed
bullseye	2.4.62-1~deb11u1 fixed
bullseye (security)	2.4.62-1~deb11u2 fixed
sid	2.4.62-3 fixed
trixie	2.4.62-3 fixed
wheezy	not-affected

Ubuntu Releases

Ubuntu Product

Codename

apache2

artful	Fixed 2.4.27-2ubuntu4.1 released
bionic	Fixed 2.4.29-1ubuntu4.1 released
trusty	Fixed 2.4.7-1ubuntu4.20 released
xenial	Fixed 2.4.18-2ubuntu3.8 released

openSUSE / SLES Releases

openSUSE Product

Release

apache2

suse enterprise sap 12 SP3	2.4.23-29.18.2 fixed
suse enterprise sap 12 SP5	2.4.23-29.43.1 fixed
suse enterprise server 12	2.4.10-14.31.1 fixed
suse enterprise server 12 SP1	2.4.16-20.16.1 fixed
suse enterprise server 12 SP2	2.4.23-29.18.2 fixed
suse enterprise server 12 SP3	2.4.23-29.18.2 fixed
suse enterprise server 12 SP5	2.4.23-29.43.1 fixed

apache2-doc

suse enterprise sap 12 SP3	2.4.23-29.18.2 fixed
suse enterprise sap 12 SP5	2.4.23-29.43.1 fixed
suse enterprise server 12	2.4.10-14.31.1 fixed
suse enterprise server 12 SP1	2.4.16-20.16.1 fixed
suse enterprise server 12 SP2	2.4.23-29.18.2 fixed
suse enterprise server 12 SP3	2.4.23-29.18.2 fixed
suse enterprise server 12 SP5	2.4.23-29.43.1 fixed

apache2-example-pages

suse enterprise sap 12 SP3	2.4.23-29.18.2 fixed
suse enterprise sap 12 SP5	2.4.23-29.43.1 fixed
suse enterprise server 12	2.4.10-14.31.1 fixed
suse enterprise server 12 SP1	2.4.16-20.16.1 fixed
suse enterprise server 12 SP2	2.4.23-29.18.2 fixed
suse enterprise server 12 SP3	2.4.23-29.18.2 fixed
suse enterprise server 12 SP5	2.4.23-29.43.1 fixed

apache2-prefork

suse enterprise sap 12 SP3	2.4.23-29.18.2 fixed
suse enterprise sap 12 SP5	2.4.23-29.43.1 fixed
suse enterprise server 12	2.4.10-14.31.1 fixed
suse enterprise server 12 SP1	2.4.16-20.16.1 fixed
suse enterprise server 12 SP2	2.4.23-29.18.2 fixed
suse enterprise server 12 SP3	2.4.23-29.18.2 fixed
suse enterprise server 12 SP5	2.4.23-29.43.1 fixed

apache2-utils

suse enterprise sap 12 SP3	2.4.23-29.18.2 fixed
suse enterprise sap 12 SP5	2.4.23-29.43.1 fixed
suse enterprise server 12	2.4.10-14.31.1 fixed
suse enterprise server 12 SP1	2.4.16-20.16.1 fixed
suse enterprise server 12 SP2	2.4.23-29.18.2 fixed
suse enterprise server 12 SP3	2.4.23-29.18.2 fixed
suse enterprise server 12 SP5	2.4.23-29.43.1 fixed

apache2-worker

suse enterprise sap 12 SP3	2.4.23-29.18.2 fixed
suse enterprise sap 12 SP5	2.4.23-29.43.1 fixed
suse enterprise server 12	2.4.10-14.31.1 fixed
suse enterprise server 12 SP1	2.4.16-20.16.1 fixed
suse enterprise server 12 SP2	2.4.23-29.18.2 fixed
suse enterprise server 12 SP3	2.4.23-29.18.2 fixed
suse enterprise server 12 SP5	2.4.23-29.43.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

httpd

RHEL 7

0:2.4.6-95.el7

fixed

httpd-devel

RHEL 7

0:2.4.6-95.el7

fixed

httpd-manual

RHEL 7

0:2.4.6-95.el7

fixed

httpd-tools

RHEL 7

0:2.4.6-95.el7

fixed

mod

RHEL 7

1:2.4.6-95.el7

fixed

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

http://www.openwall.com/lists/oss-security/2018/03/24/6

http://www.securityfocus.com/bid/103525

http://www.securitytracker.com/id/1040570

https://access.redhat.com/errata/RHSA-2018:3558

https://access.redhat.com/errata/RHSA-2019:0366

https://access.redhat.com/errata/RHSA-2019:0367

https://httpd.apache.org/security/vulnerabilities_24.html

https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E

https://security.elarlang.eu/cve-2017-15715-apache-http-server-filesmatch-bypass-with-a-trailing-newline-at-the-end-of-the-file-name.html

https://security.netapp.com/advisory/ntap-20180601-0004/

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us

https://usn.ubuntu.com/3627-1/

https://usn.ubuntu.com/3627-2/

https://www.debian.org/security/2018/dsa-4164

https://www.tenable.com/security/tns-2019-09

http://www.openwall.com/lists/oss-security/2018/03/24/6

http://www.securityfocus.com/bid/103525

http://www.securitytracker.com/id/1040570

https://access.redhat.com/errata/RHSA-2018:3558

https://access.redhat.com/errata/RHSA-2019:0366

https://access.redhat.com/errata/RHSA-2019:0367

https://httpd.apache.org/security/vulnerabilities_24.html

https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E

https://security.elarlang.eu/cve-2017-15715-apache-http-server-filesmatch-bypass-with-a-trailing-newline-at-the-end-of-the-file-name.html

https://security.netapp.com/advisory/ntap-20180601-0004/

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us

https://usn.ubuntu.com/3627-1/

https://usn.ubuntu.com/3627-2/

https://www.debian.org/security/2018/dsa-4164

https://www.tenable.com/security/tns-2019-09