NVD脆弱性詳細

CVE-2005-2088

概要	The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."
公表日	2005年7月5日13:00
登録日	2021年1月29日17:58
最終更新日	2024年2月9日11:40

CVSS2.0 : MEDIUM
スコア	4.3
ベクター	AV:N/AC:M/Au:N/C:N/I:P/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	なし
完全性への影響(I)	低
可用性への影響(A)	なし
全ての特権を取得	いいえ
ユーザー権限を取得	いいえ
その他の権限を取得	いいえ
ユーザー操作が必要	いいえ

影響を受けるソフトウェアの構成

構成1		以上	以下	より上	未満
cpe:2.3:a:apache:http_server::::::::		2.0.35			2.0.55

構成2	以上	以下	より上	未満
cpe:2.3:o:debian:debian_linux:3.1:::::::*
cpe:2.3:o:debian:debian_linux:3.0:::::::*

関連情報、対策とツール

No	URL	refsource	タグ
1	http://seclists.org/lists/bugtraq/2005/Jun/0025.html	BUGTRAQ	Issue Tracking Mailing List Third Party Advisory
2	http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf	MISC	Broken Link
3	http://www.securiteam.com/securityreviews/5GP0220G0U.html	MISC	Broken Link Exploit
4	http://securitytracker.com/id?1014323	SECTRACK	Broken Link Third Party Advisory VDB Entry
5	http://www.debian.org/security/2005/dsa-803	DEBIAN	Mailing List Third Party Advisory
6	http://www.debian.org/security/2005/dsa-805	DEBIAN	Mailing List Third Party Advisory
7	http://www.ubuntu.com/usn/usn-160-2	UBUNTU	Broken Link
8	http://lists.trustix.org/pipermail/tsl-announce/2005-October/000354.html	TRUSTIX	Broken Link
9	http://docs.info.apple.com/article.html?artnum=302847	APPLE	Broken Link
10	http://www.securityfocus.com/bid/15647	BID	Broken Link Third Party Advisory VDB Entry
11	http://secunia.com/advisories/17813	SECUNIA	Not Applicable
12	http://secunia.com/advisories/14530	SECUNIA	Not Applicable
13	http://secunia.com/advisories/17487	SECUNIA	Not Applicable
14	http://www.securityfocus.com/bid/14106	BID	Broken Link Third Party Advisory VDB Entry
15	http://sunsolve.sun.com/search/document.do?assetkey=1-26-102197-1	SUNALERT	Broken Link
16	http://sunsolve.sun.com/search/document.do?assetkey=1-26-102198-1	SUNALERT	Broken Link
17	http://secunia.com/advisories/19072	SECUNIA	Not Applicable
18	http://secunia.com/advisories/19073	SECUNIA	Not Applicable
19	http://www.redhat.com/support/errata/RHSA-2005-582.html	REDHAT	Broken Link Third Party Advisory
20	http://www.apache.org/dist/httpd/CHANGES_1.3	CONFIRM	Broken Link Vendor Advisory
21	http://www.apache.org/dist/httpd/CHANGES_2.0	CONFIRM	Broken Link Vendor Advisory
22	http://secunia.com/advisories/19317	SECUNIA	Not Applicable
23	http://secunia.com/advisories/17319	SECUNIA	Not Applicable
24	http://www-1.ibm.com/support/search.wss?rs=0&q=PK13959&apar=only	AIXAPAR	Broken Link Third Party Advisory
25	http://www-1.ibm.com/support/search.wss?rs=0&q=PK16139&apar=only	AIXAPAR	Broken Link Third Party Advisory
26	http://slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.600000	SLACKWARE	Third Party Advisory
27	http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm	CONFIRM	Third Party Advisory
28	http://secunia.com/advisories/19185	SECUNIA	Not Applicable
29	http://www.novell.com/linux/security/advisories/2005_46_apache.html	SUSE	Broken Link
30	http://www.novell.com/linux/security/advisories/2005_18_sr.html	SUSE	Broken Link
31	https://secure-support.novell.com/KanisaPlatform/Publishing/741/3222109_f.SAL_Public.html	CONFIRM	Broken Link
32	http://secunia.com/advisories/23074	SECUNIA	Not Applicable
33	http://www.mandriva.com/security/advisories?name=MDKSA-2005:130	MANDRIVA	Third Party Advisory
34	http://securityreason.com/securityalert/604	SREASON	Exploit Third Party Advisory
35	http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00612828	HP	Broken Link
36	http://www.vupen.com/english/advisories/2006/0789	VUPEN	Broken Link Permissions Required
37	http://www.vupen.com/english/advisories/2006/1018	VUPEN	Broken Link Permissions Required
38	http://www.vupen.com/english/advisories/2005/2140	VUPEN	Broken Link Permissions Required
39	http://www.vupen.com/english/advisories/2006/4680	VUPEN	Broken Link Permissions Required
40	http://www.vupen.com/english/advisories/2005/2659	VUPEN	Broken Link Permissions Required
41	http://marc.info/?l=apache-httpd-announce&m=112931556417329&w=3	MLIST	Mailing List Third Party Advisory
42	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A840	OVAL	Broken Link Third Party Advisory
43	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1629	OVAL	Broken Link Third Party Advisory
44	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1526	OVAL	Broken Link Third Party Advisory
45	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1237	OVAL	Broken Link Third Party Advisory
46	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11452	OVAL	Broken Link Third Party Advisory
47	http://www.securityfocus.com/archive/1/428138/100/0/threaded	HP	Broken Link Third Party Advisory VDB Entry
48	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E	MISC	Mailing List Vendor Advisory
49	https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E	MISC	Mailing List Vendor Advisory
50	https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E	MISC	Mailing List Vendor Advisory
51	https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E	MISC	Mailing List Vendor Advisory
52	https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E	MISC	Mailing List Vendor Advisory
53	https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E	MISC	Mailing List Vendor Advisory
54	https://lists.apache.org/thread.html/re895fc1736d25c8cf57e102c871613b8aeec9ea26fd8a44e7942b5ab%40%3Ccvs.httpd.apache.org%3E	MISC	Mailing List Vendor Advisory
55	https://lists.apache.org/thread.html/r734a07156abf332d5ab27fb91d9d962cacfef4f3681e44056f064fa8%40%3Ccvs.httpd.apache.org%3E	MISC	Mailing List Vendor Advisory
56	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E	MISC	Mailing List Vendor Advisory
57	https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E	MISC	Mailing List Vendor Advisory
58	https://lists.apache.org/thread.html/rd65d8ba68ba17e7deedafbf5bb4899f2ae4dad781d21b931c2941ac3%40%3Ccvs.httpd.apache.org%3E	MISC	Mailing List Vendor Advisory
59	https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E	MISC	Mailing List Vendor Advisory

共通脆弱性一覧

No	CWE	名前	URL
1	CWE-444	HTTP リクエストスマグリング	https://cwe.mitre.org/data/definitions/444.html