Bug 1290405 - (CVE-2015-7519) CVE-2015-7519 passenger: Header overwriting issue allowing user impersonation
CVE-2015-7519 passenger: Header overwriting issue allowing user impersonation
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1290406 1290407 1290408
Blocks: 1292105
  Show dependency treegraph
Reported: 2015-12-10 08:02 EST by Adam Mariš
Modified: 2017-11-30 07:00 EST (History)
44 users (show)

See Also:
Fixed In Version: passenger 4.0.60, passenger 5.0.22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-11-30 07:00:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-12-10 08:02:30 EST
It was found that when SCGI protocol is used and an app depends on a header set by trusted server that includes a dash, it is possible for a untrusted remote client to set colliding header, which would appear different to the server and won't be overwriteen but preserved, e.g.

Foobar-User: user
Foobar_User: impersonation

Conversion of the headers for SCGI requires dropping the difference (in this case _ and -), which results in Passenger sending two headers with the same key:

HTTP_FOOBAR_USER: impersonation

The value of the second HTTP_FOOBAR_USER may overwrite the value of the first if hashmap is used, making the application believe a different value was set by the server. If header is used fo authentication, unauthenticated remote attacker can impersonate local user.

Upstream patch:


Public via:

Comment 3 Adam Mariš 2015-12-10 08:03:51 EST
Created passenger tracking bugs for this issue:

Affects: fedora-all [bug 1290408]
Comment 4 Tomas Hoger 2016-01-25 05:40:06 EST
Original SUSE bug report:


Issue was fixed upstream in both 5.0.22 and 4.0.60:


Upstream blog post with further details and workaround for setups using httpd.

External References:


Note You need to log in before you can comment on or make changes to this bug.