漏洞信息(CVE-2017-15715)

一、漏洞 CVE-2017-15715 基础信息

漏洞信息

                                        # N/A

## 漏洞概述
在 Apache httpd 2.4.0 到 2.4.29 版本中，<FilesMatch> 中指定的表达式可能会匹配恶意文件名中的换行符，而不是仅匹配文件名的结尾。这可能被利用于某些上传文件通过匹配文件名结尾部分被外部阻止的环境。

## 影响版本
- Apache httpd 2.4.0 至 2.4.29

## 漏洞细节
<FilesMatch> 指定的表达式匹配文件名时，可能错误地将换行符识别为文件名的结尾，而不是严格的文件名结尾。攻击者可以通过构造包含换行符的恶意文件名，绕过文件上传的限制。

## 影响
在某些仅通过匹配文件名尾部进行外部阻止上传的环境中，此漏洞可能被利用，从而允许上传恶意文件。

提示

尽管我们采用了先进的大模型技术，但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确，但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利！

漏洞标题

N/A

来源：美国国家漏洞数据库 NVD

漏洞描述信息

In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.

来源：美国国家漏洞数据库 NVD

CVSS信息

N/A

来源：美国国家漏洞数据库 NVD

漏洞类别

N/A

来源：美国国家漏洞数据库 NVD

漏洞标题

Apache httpd 输入验证错误漏洞

来源：中国国家信息安全漏洞库 CNNVD

漏洞描述信息

Apache httpd是美国阿帕奇（Apache）软件基金会的一款专为现代操作系统开发和维护的开源HTTP服务器。 Apache httpd 2.4.0版本至2.4.29版本中存在安全漏洞。攻击者可通过向目标系统发送特制的文件利用该漏洞绕过安全限制。

来源：中国国家信息安全漏洞库 CNNVD

CVSS信息

N/A

来源：中国国家信息安全漏洞库 CNNVD

漏洞类别

输入验证错误

来源：中国国家信息安全漏洞库 CNNVD

二、漏洞 CVE-2017-15715 的公开POC

#	POC 描述	源链接	神龙链接
1	None	https://github.com/whisp1830/CVE-2017-15715	POC详情
2	Apache httpd 2.4.0 to 2.4.29 is susceptible to arbitrary file upload vulnerabilities via the expression specified in <FilesMatch>, which could match '$' to a newline character in a malicious filename rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are externally blocked, but only by matching the trailing portion of the filename.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-15715.yaml	POC详情
3	None	https://github.com/Threekiii/Awesome-POC/blob/master/%E4%B8%AD%E9%97%B4%E4%BB%B6%E6%BC%8F%E6%B4%9E/Apache%20HTTPd%20%E6%8D%A2%E8%A1%8C%E8%A7%A3%E6%9E%90%E6%BC%8F%E6%B4%9E%20CVE-2017-15715.md	POC详情
4		https://github.com/vulhub/vulhub/blob/master/httpd/CVE-2017-15715/README.md	POC详情

三、漏洞 CVE-2017-15715 的情报信息

https://security.netapp.com/advisory/ntap-20180601-0004/ x_refsource_CONFIRM
https://www.tenable.com/security/tns-2019-09 x_refsource_CONFIRM
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us x_refsource_CONFIRM
https://security.elarlang.eu/cve-2017-15715-apache-http-server-filesmatch-bypass-with-a-trailing-newline-at-the-end-of-the-file-name.html x_refsource_MISC
https://httpd.apache.org/security/vulnerabilities_24.html x_refsource_CONFIRM
http://www.securityfocus.com/bid/103525 vdb-entry x_refsource_BID
http://www.securitytracker.com/id/1040570 vdb-entry x_refsource_SECTRACK
https://www.debian.org/security/2018/dsa-4164 vendor-advisory x_refsource_DEBIAN
https://usn.ubuntu.com/3627-2/ vendor-advisory x_refsource_UBUNTU
https://usn.ubuntu.com/3627-1/ vendor-advisory x_refsource_UBUNTU
https://access.redhat.com/errata/RHSA-2019:0366 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:0367 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:3558 vendor-advisory x_refsource_REDHAT
https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E mailing-list x_refsource_MLIST
http://www.openwall.com/lists/oss-security/2018/03/24/6 mailing-list x_refsource_MLIST
https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E mailing-list x_refsource_MLIST
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E mailing-list x_refsource_MLIST
https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E mailing-list x_refsource_MLIST
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E mailing-list x_refsource_MLIST
https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E mailing-list x_refsource_MLIST
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E mailing-list x_refsource_MLIST
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E mailing-list x_refsource_MLIST
https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E mailing-list x_refsource_MLIST
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E mailing-list x_refsource_MLIST
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E mailing-list x_refsource_MLIST
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E mailing-list x_refsource_MLIST
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E mailing-list x_refsource_MLIST
https://nvd.nist.gov/vuln/detail/CVE-2017-15715

一、 漏洞 CVE-2017-15715 基础信息

漏洞信息

提示

漏洞标题

漏洞描述信息

CVSS信息

漏洞类别

漏洞标题

漏洞描述信息

CVSS信息

漏洞类别

二、漏洞 CVE-2017-15715 的公开POC

三、漏洞 CVE-2017-15715 的情报信息

一、漏洞 CVE-2017-15715 基础信息