1. Home
  2. CVE Database
  3. CVE-2017-15715
HIGH · 8.1

CVE-2017-15715

In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could ...

Vulnerability Description

In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.

CVSS Score

8.1

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
ApacheHttp Server>= 2.4.0, <= 2.4.29
DebianDebian Linux8.0
CanonicalUbuntu Linux14.04
NetappSantricity Cloud Connector-
NetappStorage Automation Store-
NetappStoragegrid-
NetappClustered Data Ontap-
RedhatEnterprise Linux6.0

Related Weaknesses (CWE)

CWE-20

References

FAQ

What is CVE-2017-15715?

CVE-2017-15715 is a vulnerability with a CVSS score of 8.1 (HIGH). In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could ...

How severe is CVE-2017-15715?

CVE-2017-15715 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-15715?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Debian Debian Linux, Canonical Ubuntu Linux, Netapp Santricity Cloud Connector, Netapp Storage Automation Store.