Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2005-2088

The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."

Published

2005-07-05T04:00:00.000

Last Modified

2025-04-03T01:03:51.193

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 4.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-444

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	http_server	< 2.0.55	Yes
Operating System	debian	debian_linux	3.0	Yes
Operating System	debian	debian_linux	3.1	Yes

References

http://docs.info.apple.com/article.html?artnum=302847 Broken Link ([email protected])
http://lists.trustix.org/pipermail/tsl-announce/2005-October/000354.html Broken Link ([email protected])
http://marc.info/?l=apache-httpd-announce&m=112931556417329&w=3 Mailing List, Third Party Advisory ([email protected])
http://seclists.org/lists/bugtraq/2005/Jun/0025.html Issue Tracking, Mailing List, Third Party Advisory ([email protected])
http://secunia.com/advisories/14530 Not Applicable ([email protected])
http://secunia.com/advisories/17319 Not Applicable ([email protected])
http://secunia.com/advisories/17487 Not Applicable ([email protected])
http://secunia.com/advisories/17813 Not Applicable ([email protected])
http://secunia.com/advisories/19072 Not Applicable ([email protected])
http://secunia.com/advisories/19073 Not Applicable ([email protected])
http://secunia.com/advisories/19185 Not Applicable ([email protected])
http://secunia.com/advisories/19317 Not Applicable ([email protected])
http://secunia.com/advisories/23074 Not Applicable ([email protected])
http://securityreason.com/securityalert/604 Exploit, Third Party Advisory ([email protected])
http://securitytracker.com/id?1014323 Broken Link, Third Party Advisory, VDB Entry ([email protected])
http://slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.600000 Third Party Advisory ([email protected])
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102197-1 Broken Link ([email protected])
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102198-1 Broken Link ([email protected])
http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm Third Party Advisory ([email protected])
http://www-1.ibm.com/support/search.wss?rs=0&q=PK13959&apar=only Broken Link, Third Party Advisory ([email protected])
http://www-1.ibm.com/support/search.wss?rs=0&q=PK16139&apar=only Broken Link, Third Party Advisory ([email protected])
http://www.apache.org/dist/httpd/CHANGES_1.3 Broken Link, Vendor Advisory ([email protected])
http://www.apache.org/dist/httpd/CHANGES_2.0 Broken Link, Vendor Advisory ([email protected])
http://www.debian.org/security/2005/dsa-803 Mailing List, Third Party Advisory ([email protected])
http://www.debian.org/security/2005/dsa-805 Mailing List, Third Party Advisory ([email protected])
http://www.mandriva.com/security/advisories?name=MDKSA-2005:130 Third Party Advisory ([email protected])
http://www.novell.com/linux/security/advisories/2005_18_sr.html Broken Link ([email protected])
http://www.novell.com/linux/security/advisories/2005_46_apache.html Broken Link ([email protected])
http://www.redhat.com/support/errata/RHSA-2005-582.html Broken Link, Third Party Advisory ([email protected])
http://www.securiteam.com/securityreviews/5GP0220G0U.html Broken Link, Exploit ([email protected])
http://www.securityfocus.com/archive/1/428138/100/0/threaded Broken Link, Third Party Advisory, VDB Entry ([email protected])
http://www.securityfocus.com/archive/1/428138/100/0/threaded Broken Link, Third Party Advisory, VDB Entry ([email protected])
http://www.securityfocus.com/bid/14106 Broken Link, Third Party Advisory, VDB Entry ([email protected])
http://www.securityfocus.com/bid/15647 Broken Link, Third Party Advisory, VDB Entry ([email protected])
http://www.ubuntu.com/usn/usn-160-2 Broken Link ([email protected])
http://www.vupen.com/english/advisories/2005/2140 Broken Link, Permissions Required ([email protected])
http://www.vupen.com/english/advisories/2005/2659 Broken Link, Permissions Required ([email protected])
http://www.vupen.com/english/advisories/2006/0789 Broken Link, Permissions Required ([email protected])
http://www.vupen.com/english/advisories/2006/1018 Broken Link, Permissions Required ([email protected])
http://www.vupen.com/english/advisories/2006/4680 Broken Link, Permissions Required ([email protected])
http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf Broken Link ([email protected])
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00612828 Broken Link ([email protected])
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00612828 Broken Link ([email protected])
https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory ([email protected])
https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory ([email protected])
https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory ([email protected])
https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory ([email protected])
https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory ([email protected])
https://lists.apache.org/thread.html/r734a07156abf332d5ab27fb91d9d962cacfef4f3681e44056f064fa8%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory ([email protected])
https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory ([email protected])
https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory ([email protected])
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory ([email protected])
https://lists.apache.org/thread.html/rd65d8ba68ba17e7deedafbf5bb4899f2ae4dad781d21b931c2941ac3%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory ([email protected])
https://lists.apache.org/thread.html/re895fc1736d25c8cf57e102c871613b8aeec9ea26fd8a44e7942b5ab%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory ([email protected])
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11452 Broken Link, Third Party Advisory ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1237 Broken Link, Third Party Advisory ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1526 Broken Link, Third Party Advisory ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1629 Broken Link, Third Party Advisory ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A840 Broken Link, Third Party Advisory ([email protected])
https://secure-support.novell.com/KanisaPlatform/Publishing/741/3222109_f.SAL_Public.html Broken Link ([email protected])
http://docs.info.apple.com/article.html?artnum=302847 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://lists.trustix.org/pipermail/tsl-announce/2005-October/000354.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=apache-httpd-announce&m=112931556417329&w=3 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/lists/bugtraq/2005/Jun/0025.html Issue Tracking, Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/14530 Not Applicable (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/17319 Not Applicable (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/17487 Not Applicable (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/17813 Not Applicable (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/19072 Not Applicable (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/19073 Not Applicable (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/19185 Not Applicable (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/19317 Not Applicable (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/23074 Not Applicable (af854a3a-2127-422b-91ae-364da2661108)
http://securityreason.com/securityalert/604 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://securitytracker.com/id?1014323 Broken Link, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.600000 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102197-1 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102198-1 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www-1.ibm.com/support/search.wss?rs=0&q=PK13959&apar=only Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www-1.ibm.com/support/search.wss?rs=0&q=PK16139&apar=only Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.apache.org/dist/httpd/CHANGES_1.3 Broken Link, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.apache.org/dist/httpd/CHANGES_2.0 Broken Link, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2005/dsa-803 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2005/dsa-805 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDKSA-2005:130 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.novell.com/linux/security/advisories/2005_18_sr.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://www.novell.com/linux/security/advisories/2005_46_apache.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://www.redhat.com/support/errata/RHSA-2005-582.html Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securiteam.com/securityreviews/5GP0220G0U.html Broken Link, Exploit (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/428138/100/0/threaded Broken Link, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/428138/100/0/threaded Broken Link, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/14106 Broken Link, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/15647 Broken Link, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/usn-160-2 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2005/2140 Broken Link, Permissions Required (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2005/2659 Broken Link, Permissions Required (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2006/0789 Broken Link, Permissions Required (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2006/1018 Broken Link, Permissions Required (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2006/4680 Broken Link, Permissions Required (af854a3a-2127-422b-91ae-364da2661108)
http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00612828 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00612828 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r734a07156abf332d5ab27fb91d9d962cacfef4f3681e44056f064fa8%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rd65d8ba68ba17e7deedafbf5bb4899f2ae4dad781d21b931c2941ac3%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/re895fc1736d25c8cf57e102c871613b8aeec9ea26fd8a44e7942b5ab%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11452 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1237 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1526 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1629 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A840 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://secure-support.novell.com/KanisaPlatform/Publishing/741/3222109_f.SAL_Public.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)