CVE-2013-5704

Published: Apr 15, 2014Modified: May 6, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

Affected (71)

Products: Apache: Http Server · Redhat: Enterprise Linux Desktop, Enterprise Linux Eus, Enterprise Linux Server, Enterprise Linux Server Aus, Enterprise Linux Server Tus, Enterprise Linux Workstation, Jboss Enterprise Web Server · Oracle: Enterprise Manager Ops Center, Http Server, Linux, Solaris · +2 more

Show all products

Configuration A

34 vulnerable

Vulnerable Software	Affected Versions
Apache Http Server	Version 2.2.0
Apache Http Server	Version 2.2.10
Apache Http Server	Version 2.2.11
Apache Http Server	Version 2.2.12
Apache Http Server	Version 2.2.13
Apache Http Server	Version 2.2.14
Apache Http Server	Version 2.2.15
Apache Http Server	Version 2.2.16
Apache Http Server	Version 2.2.17
Apache Http Server	Version 2.2.18
Apache Http Server	Version 2.2.19
Apache Http Server	Version 2.2.20
Apache Http Server	Version 2.2.21
Apache Http Server	Version 2.2.22
Apache Http Server	Version 2.2.23
Apache Http Server	Version 2.2.24
Apache Http Server	Version 2.2.25
Apache Http Server	Version 2.2.26
Apache Http Server	Version 2.2.27
Apache Http Server	Version 2.2.2
Apache Http Server	Version 2.2.3
Apache Http Server	Version 2.2.4
Apache Http Server	Version 2.2.5
Apache Http Server	Version 2.2.6
Apache Http Server	Version 2.2.8
Apache Http Server	Version 2.2.9
Apache Http Server	Version 2.4.10
Apache Http Server	Version 2.4.1
Apache Http Server	Version 2.4.2
Apache Http Server	Version 2.4.3
Apache Http Server	Version 2.4.4
Apache Http Server	Version 2.4.6
Apache Http Server	Version 2.4.7
Apache Http Server	Version 2.4.9

Configuration B

18 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux Desktop	Version 6.0
Redhat Enterprise Linux Desktop	Version 7.0
Redhat Enterprise Linux Eus	Version 7.3
Redhat Enterprise Linux Eus	Version 7.4
Redhat Enterprise Linux Eus	Version 7.5
Redhat Enterprise Linux Eus	Version 7.6
Redhat Enterprise Linux Eus	Version 7.7
Redhat Enterprise Linux Server	Version 6.0
Redhat Enterprise Linux Server	Version 7.0
Redhat Enterprise Linux Server Aus	Version 7.3
Redhat Enterprise Linux Server Aus	Version 7.4
Redhat Enterprise Linux Server Aus	Version 7.6
Redhat Enterprise Linux Server Aus	Version 7.7
Redhat Enterprise Linux Server Tus	Version 7.3
Redhat Enterprise Linux Server Tus	Version 7.6
Redhat Enterprise Linux Server Tus	Version 7.7
Redhat Enterprise Linux Workstation	Version 6.0
Redhat Enterprise Linux Workstation	Version 7.0

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Jboss Enterprise Web Server	Version 3.0.0

Configuration D

1 vulnerable · 3 platform

Vulnerable Software	Affected Versions
Redhat Jboss Enterprise Web Server	Version 2.0.0

Running on/with	Platform Versions
Redhat Enterprise Linux	Version 5.0
Redhat Enterprise Linux	Version 6.0
Redhat Enterprise Linux	Version 7.0

Configuration E

11 vulnerable

Vulnerable Software	Affected Versions
Oracle Enterprise Manager Ops Center	Before 12.1.4
Oracle Enterprise Manager Ops Center	Version 12.1.4
Oracle Enterprise Manager Ops Center	Version 12.2.0
Oracle Enterprise Manager Ops Center	Version 12.2.1
Oracle Enterprise Manager Ops Center	Version 12.3.0
Oracle Http Server	Version 10.1.3.5.0
Oracle Http Server	Version 11.1.1.7.0
Oracle Http Server	Version 12.1.2.0
Oracle Http Server	Version 12.1.3.0
Oracle Linux	Version 6
Oracle Solaris	Version 11.2

Configuration F

2 vulnerable

Vulnerable Software	Affected Versions
Apple Mac Os X	Before 10.10.4
Apple Mac Os X Server	Before 5.0.3

Configuration G

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 10.04
Canonical Ubuntu Linux	Version 12.04
Canonical Ubuntu Linux	Version 14.04
Canonical Ubuntu Linux	Version 14.10

References (94)

http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://marc.info/?l=apache-httpd-dev&m=139636309822854&w=2

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://marc.info/?l=bugtraq&m=143403519711434&w=2

Source: cve@mitre.org

Issue TrackingMailing ListThird Party Advisory

http://marc.info/?l=bugtraq&m=144493176821532&w=2

Source: cve@mitre.org

Issue TrackingMailing ListThird Party Advisory

http://martin.swende.se/blog/HTTPChunked.html

Source: cve@mitre.org

Broken LinkExploitThird Party Advisory

http://rhn.redhat.com/errata/RHSA-2015-0325.html

Source: cve@mitre.org

Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2015-1249.html

Source: cve@mitre.org

Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2015-2661.html

Source: cve@mitre.org

Broken LinkThird Party Advisory

http://rhn.redhat.com/errata/RHSA-2016-0061.html

Source: cve@mitre.org

Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2016-0062.html

Source: cve@mitre.org

Third Party Advisory

http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/CHANGES

Source: cve@mitre.org

Release NotesVendor Advisory

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c

Source: cve@mitre.org

PatchVendor Advisory

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=1610674&r2=1610814&diff_format=h

Source: cve@mitre.org

PatchVendor Advisory

http://www.mandriva.com/security/advisories?name=MDVSA-2014:174

Source: cve@mitre.org

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html

Source: cve@mitre.org

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

Source: cve@mitre.org

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

Source: cve@mitre.org

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

Source: cve@mitre.org

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

Source: cve@mitre.org

Third Party Advisory

http://www.securityfocus.com/bid/66550

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.ubuntu.com/usn/USN-2523-1

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2015:2659

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2015:2660

Source: cve@mitre.org

Third Party Advisory

https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04832246

Source: cve@mitre.org

Third Party Advisory

https://httpd.apache.org/security/vulnerabilities_24.html

Source: cve@mitre.org

Vendor Advisory

https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r83109088737656fa6307bd99ab40f8ff0269ae58d3f7272d7048494a%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r9821b0a32a1d0a1b4947abb6f3630053fcbb2ec905d9a32c2bd4d4ee%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://security.gentoo.org/glsa/201504-03

Source: cve@mitre.org

Third Party Advisory

https://support.apple.com/HT204659

Source: cve@mitre.org

Third Party Advisory

https://support.apple.com/HT205219

Source: cve@mitre.org

Third Party Advisory

http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html