CVE-2015-3183 : The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers

The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.

Published 2015-07-20 23:59:03

Updated 2023-12-14 14:06:56

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Input validation

Threat overview for CVE-2015-3183

Top countries where our scanners detected CVE-2015-3183

Top open port discovered on systems with this issue 80

IPs affected by CVE-2015-3183 3,311,674

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2015-3183!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2015-3183

Probability of exploitation activity in the next 30 days: 7.18%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 94 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2015-3183

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2015-3183

CWE-17

Assigned by: nvd@nist.gov (Primary)
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-3183

https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E

svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_2

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2016-2054.html

RHSA-2016:2054 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E

svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html s

CVEs referencing this url
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

Oracle Critical Patch Update - January 2016
Patch;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2015:2660

RHSA-2015:2660 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://github.com/apache/httpd/commit/a6027e56924bb6227c1fdbf6f91e7e2438338be6

Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext · apache/httpd@a6027e5 · GitHub
Third Party Advisory
http://www.debian.org/security/2015/dsa-3325

Debian -- Security Information -- DSA-3325-1 apache2
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E

svn commit: r1073149 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/-Apache Mail Archives
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E

svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4@%3Ccvs.httpd.apache.org%3E

svn commit: r1073139 [9/13] - in /websites/staging/httpd/trunk/content: ./ security/json/ - Pony Mail

CVEs referencing this url
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E

svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_

CVEs referencing this url
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E

svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_
Third Party Advisory

CVEs referencing this url
http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html

Apple - Lists.apple.com
Mailing List

CVEs referencing this url
http://marc.info/?l=bugtraq&m=144493176821532&w=2

'[security bulletin] HPSBUX03512 SSRT102254 rev.1 - HP-UX Web Server Suite running Apache, Remote Den' - MARC
Mailing List;Third Party Advisory;VDB Entry

CVEs referencing this url
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E

svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html

CVEs referencing this url
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E

Pony Mail!

CVEs referencing this url
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E

Pony Mail!

CVEs referencing this url
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_
Third Party Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2016-2056.html

Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/91787

Oracle July 2016 Critical Patch Update Multiple Vulnerabilities
Third Party Advisory;VDB Entry

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2015:2659

RHSA-2015:2659 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

Oracle Solaris Third Party Bulletin - October 2015
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E

svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_
Third Party Advisory

CVEs referencing this url
http://www.ubuntu.com/usn/USN-2686-1

USN-2686-1: Apache HTTP Server vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E

svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html s

CVEs referencing this url
http://www.apache.org/dist/httpd/CHANGES_2.4

Vendor Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r83109088737656fa6307bd99ab40f8ff0269ae58d3f7272d7048494a@%3Ccvs.httpd.apache.org%3E

svn commit: r1888194 [9/13] - /httpd/site/trunk/content/security/json/ - Pony Mail

CVEs referencing this url
http://www.securitytracker.com/id/1032967

Apache Bugs Let Remote Users Deny Service - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
https://puppet.com/security/cve/CVE-2015-3183

CVE-2015-3183 | Puppet
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-1668.html

RHSA-2015:1668 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E

svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ - Pony Mail

CVEs referencing this url
https://support.apple.com/kb/HT205031

About the security content of OS X Yosemite v10.10.5 and Security Update 2015-006 - Apple Support
Third Party Advisory;VDB Entry

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2015-1666.html

RHSA-2015:1666 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E

svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html s
Third Party Advisory

CVEs referencing this url
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04926789

HPSBUX03435 SSRT102977 rev.1 - HP-UX Web Server Suite running Apache, Remote Denial of Service (DoS)
Third Party Advisory;VDB Entry

CVEs referencing this url
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E

Pony Mail!

CVEs referencing this url
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

Oracle Critical Patch Update - July 2016
Patch

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html

openSUSE-SU-2015:1684-1: moderate: Security update for apache2
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E

svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_

CVEs referencing this url
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04832246

HPSBUX03512 SSRT102254 rev.2 - HP-UX Web Server Suite running Apache, Remote Denial of Service (DoS) and Other Vulnerabilities
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E

svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/-Apache Mail Archives
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E

Pony Mail!

CVEs referencing this url
https://support.apple.com/HT205219

About the security content of OS X Server v5.0.3 - Apple Support
Third Party Advisory;VDB Entry

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2016-2055.html

RHSA-2016:2055 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2016-0061.html

RHSA-2016:0061 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E

svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_
Third Party Advisory

CVEs referencing this url
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735

Juniper Networks - 2016-04 Security Bulletin: CTP Series: Multiple vulnerabilities in CTP Series
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3Ccvs.httpd.apache.org%3E

svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html

CVEs referencing this url
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r83109088737656fa6307bd99ab40f8ff0269ae58d3f7272d7048494a%40%3Ccvs.httpd.apache.org%3E

svn commit: r1888194 [9/13] - /httpd/site/trunk/content/security/json/-Apache Mail Archives
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b@%3Ccvs.httpd.apache.org%3E

svn commit: r1073149 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ - Pony Mail

CVEs referencing this url
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html

Apple - Lists.apple.com
Mailing List

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2015-2661.html

Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E

Pony Mail!

CVEs referencing this url
http://www.securityfocus.com/bid/75963

Apache HTTP Server CVE-2015-3183 Security Vulnerability
Third Party Advisory;VDB Entry
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_2
Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/201610-02

Apache: Multiple vulnerabilities (GLSA 201610-02) — Gentoo security
Third Party Advisory

CVEs referencing this url
http://httpd.apache.org/security/vulnerabilities_24.html

httpd 2.4 vulnerabilities - The Apache HTTP Server Project
Vendor Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E

svn commit: r1073139 [9/13] - in /websites/staging/httpd/trunk/content: ./ security/json/-Apache Mail Archives
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E

svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_
Third Party Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2016-0062.html

RHSA-2016:0062 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://github.com/apache/httpd/commit/e427c41257957b57036d5a549b260b6185d1dd73

Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext · apache/httpd@e427c41 · GitHub
Third Party Advisory
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E

svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html
Third Party Advisory

CVEs referencing this url
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

Oracle Critical Patch Update - October 2015
Third Party Advisory;VDB Entry

CVEs referencing this url
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E

svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_

CVEs referencing this url
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E

svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/-Apache Mail Archives
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E

svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_

CVEs referencing this url
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E

svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E

svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html s
Third Party Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2015-1667.html

RHSA-2015:1667 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E

svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_
Third Party Advisory

CVEs referencing this url

Products affected by CVE-2015-3183