CVE-2015-7519 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2015-7519 Interim 1 15 2025-04-13T23:12:55Z current 2021-05-30T13:33:50Z 2025-04-13T23:12:55Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2015-7519 agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2015-December/001751.html E-Mail link for SUSE-SU-2015:2337-1 https://lists.suse.com/pipermail/sle-security-updates/2016-January/001784.html E-Mail link for SUSE-SU-2016:0042-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Lifecycle Management Server 1.3 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Studio Onsite 1.3 SUSE WebYast 1.3 openSUSE Tumbleweed ruby2.1-rubygem-passenger-5.0.18-6.1 ruby2.7-rubygem-passenger-6.0.8-3.2 ruby3.0-rubygem-passenger-6.0.8-3.2 rubygem-passenger-3.0.14-0.14.1 rubygem-passenger-5.0.18-6.1 rubygem-passenger-6.0.8-3.2 rubygem-passenger-apache2-3.0.14-0.14.1 rubygem-passenger-apache2-5.0.18-6.1 rubygem-passenger-apache2-6.0.8-3.2 rubygem-passenger-nginx-3.0.14-0.14.1 rubygem-passenger-nginx-6.0.8-3.2 rubygem-passenger-3.0.14-0.14.1 as a component of SUSE Lifecycle Management Server 1.3 rubygem-passenger-apache2-3.0.14-0.14.1 as a component of SUSE Lifecycle Management Server 1.3 rubygem-passenger-nginx-3.0.14-0.14.1 as a component of SUSE Lifecycle Management Server 1.3 ruby2.1-rubygem-passenger-5.0.18-6.1 as a component of SUSE Linux Enterprise Module for Containers 12 rubygem-passenger-5.0.18-6.1 as a component of SUSE Linux Enterprise Module for Containers 12 rubygem-passenger-apache2-5.0.18-6.1 as a component of SUSE Linux Enterprise Module for Containers 12 rubygem-passenger-3.0.14-0.14.1 as a component of SUSE Studio Onsite 1.3 rubygem-passenger-nginx-3.0.14-0.14.1 as a component of SUSE Studio Onsite 1.3 rubygem-passenger-3.0.14-0.14.1 as a component of SUSE WebYast 1.3 rubygem-passenger-nginx-3.0.14-0.14.1 as a component of SUSE WebYast 1.3 ruby2.7-rubygem-passenger-6.0.8-3.2 as a component of openSUSE Tumbleweed ruby3.0-rubygem-passenger-6.0.8-3.2 as a component of openSUSE Tumbleweed rubygem-passenger-6.0.8-3.2 as a component of openSUSE Tumbleweed rubygem-passenger-apache2-6.0.8-3.2 as a component of openSUSE Tumbleweed rubygem-passenger-nginx-6.0.8-3.2 as a component of openSUSE Tumbleweed agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header. CVE-2015-7519 SUSE Lifecycle Management Server 1.3:rubygem-passenger-3.0.14-0.14.1 SUSE Lifecycle Management Server 1.3:rubygem-passenger-apache2-3.0.14-0.14.1 SUSE Lifecycle Management Server 1.3:rubygem-passenger-nginx-3.0.14-0.14.1 SUSE Linux Enterprise Module for Containers 12:ruby2.1-rubygem-passenger-5.0.18-6.1 SUSE Linux Enterprise Module for Containers 12:rubygem-passenger-5.0.18-6.1 SUSE Linux Enterprise Module for Containers 12:rubygem-passenger-apache2-5.0.18-6.1 SUSE Studio Onsite 1.3:rubygem-passenger-3.0.14-0.14.1 SUSE Studio Onsite 1.3:rubygem-passenger-nginx-3.0.14-0.14.1 SUSE WebYast 1.3:rubygem-passenger-3.0.14-0.14.1 SUSE WebYast 1.3:rubygem-passenger-nginx-3.0.14-0.14.1 openSUSE Tumbleweed:ruby2.7-rubygem-passenger-6.0.8-3.2 openSUSE Tumbleweed:ruby3.0-rubygem-passenger-6.0.8-3.2 openSUSE Tumbleweed:rubygem-passenger-6.0.8-3.2 openSUSE Tumbleweed:rubygem-passenger-apache2-6.0.8-3.2 openSUSE Tumbleweed:rubygem-passenger-nginx-6.0.8-3.2 moderate 4.9 AV:N/AC:M/Au:S/C:P/I:P/A:N 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N