Description
agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60
and 5.0.x before 5.0.22, when used in Apache integration mode or in
standalone mode without a filtering proxy, allows remote attackers to spoof
headers passed to applications by using an _ (underscore) character instead
of a - (dash) character in an HTTP header, as demonstrated by an X_User
header.
Package
Upstream: | released
(5.0.22-1)
|
Ubuntu 14.04 ESM: | DNE
|
Ubuntu 20.04 FIPS Compliant: | not-affected
(5.0.22-1)
|
Patches:
Updated: 2022-04-13 12:06:18 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)