CVE-2017-15715

Description

In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.

CVSS Metrics

• v3.0•HIGH•Score: 8.1CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
• v2.0•MEDIUM•Score: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 93.62%• Percentile: 100%

Techniques & Countermeasures

• CWE-20•Improper Input Validation

  The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

• apache software foundation•apache http server

  2.4.0 to 2.4.29

• Unknown•HTTP Server

  ≥ 2.4.0, ≤ 2.4.29

• canonical•ubuntu_linux

  14.04 | 16.04 | 17.10 | 18.04

• debian•debian_linux

  8.0 | 9.0

• netapp•clustered_data_ontap

  na

• netapp•santricity_cloud_connector

  na

• netapp•storage_automation_store

  na

• netapp•storagegrid

  na

• redhat•enterprise_linux

  6.0 | 7.0 | 7.4 | 7.5 | 7.6

References (27)

• https://usn.ubuntu.com/3627-1/
• https://www.debian.org/security/2018/dsa-4164
• https://security.netapp.com/advisory/ntap-20180601-0004/
• https://access.redhat.com/errata/RHSA-2018:3558
• https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us
• https://access.redhat.com/errata/RHSA-2019:0367
• https://usn.ubuntu.com/3627-2/
• http://www.securityfocus.com/bid/103525
• http://www.securitytracker.com/id/1040570
• https://httpd.apache.org/security/vulnerabilities_24.html
• http://www.openwall.com/lists/oss-security/2018/03/24/6
• https://access.redhat.com/errata/RHSA-2019:0366
• https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
• https://security.elarlang.eu/cve-2017-15715-apache-http-server-filesmatch-bypass-with-a-trailing-newline-at-the-end-of-the-file-name.html
• https://www.tenable.com/security/tns-2019-09
• https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E
• https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E