CVE-2015-3153 — MEDIUM (5.0)

Q: How severe is CVE-2015-3153?

CVE-2015-3153 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2015-3153?

Check the references section above for vendor advisories and patch information. Affected products include: Oracle Enterprise Manager Ops Center, Haxx Curl, Haxx Libcurl, Canonical Ubuntu Linux, Apple Mac Os X.

Vulnerability Description

The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.

CVSS Score

5.0

MEDIUM

AV:N/AC:L/Au:N/C:P/I:N/A:N

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Oracle	Enterprise Manager Ops Center	<= 12.1.3
Haxx	Curl	<= 7.42.0
Haxx	Libcurl	<= 7.42.0
Canonical	Ubuntu Linux	12.04
Apple	Mac Os X	10.10.4
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-200

References

http://curl.haxx.se/docs/adv_20150429.htmlVendor Advisory
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2015-05/msg00017.html
http://www.debian.org/security/2015/dsa-3240Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlPatchThird Party Advisory
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.htmlPatchThird Party Advisory
http://www.securityfocus.com/bid/74408
http://www.securitytracker.com/id/1032233Third Party AdvisoryVDB Entry
http://www.ubuntu.com/usn/USN-2591-1Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10131
https://support.apple.com/kb/HT205031Third Party Advisory
http://curl.haxx.se/docs/adv_20150429.htmlVendor Advisory

FAQ

What is CVE-2015-3153?

CVE-2015-3153 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information ...

How severe is CVE-2015-3153?

CVE-2015-3153 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-3153?

Check the references section above for vendor advisories and patch information. Affected products include: Oracle Enterprise Manager Ops Center, Haxx Curl, Haxx Libcurl, Canonical Ubuntu Linux, Apple Mac Os X.