CVE-2017-15715
high-risk
Published 2018-03-26
In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.
Do I need to act?
!
94.1% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10
High
NETWORK
/ HIGH complexity
Affected Products (16)
References (54)
Third Party Advisory
http://www.securityfocus.com/bid/103525
Third Party Advisory
http://www.securitytracker.com/id/1040570
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3558
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0366
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0367
Vendor Advisory
https://httpd.apache.org/security/vulnerabilities_24.html
and 34 more references
62
/ 100
high-risk
Severity
24/34 · High
Exploitability
20/34 · Moderate
Exposure
18/34 · Moderate