Launchpad CVE tracker

CVE 2017-15715

In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.

Related bugs and status

CVE-2017-15715 (Candidate) is related to these bugs:

Bug #1770242: Please merge from debian 2.4.33

Summary				In	Importance	Status
	1770242	Please merge from debian 2.4.33		apache2 (Ubuntu)	Low	Fix Released

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2018032...
CONFIRM: https://httpd.apache.o...
SECTRACK: 1040570
BID: 103525
DEBIAN: DSA-4164
UBUNTU: USN-3627-1
UBUNTU: USN-3627-2
CONFIRM: https://security.netap...
REDHAT: RHSA-2018:3558
CONFIRM: https://support.hpe.co...
REDHAT: RHSA-2019:0366
REDHAT: RHSA-2019:0367
MLIST: [httpd-cvs] 20190815 s...
MLIST: [httpd-cvs] 20190815 s...
MISC: https://security.elarl...
CONFIRM: https://www.tenable.co...
MLIST: [httpd-cvs] 20200401 s...
MLIST: [httpd-cvs] 20200401 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210603 s...
MLIST: [httpd-cvs] 20210606 s...

Launchpad.net

CVE 2017-15715

Related bugs and status

Related bugs

References