Vulnerability Name:

CVE-2013-4547 (CCN-89099)

Assigned:2013-11-19
Published:2013-11-19
Updated:2021-11-10
Summary:nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-116
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2013-4547

Source: SUSE
Type: Mailing List, Third Party Advisory
SUSE-SU-2013:1895

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2013:1745

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2013:1791

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2013:1792

Source: MLIST
Type: Mitigation, Vendor Advisory
[nginx-announce] 20131119 nginx security advisory (CVE-2013-4547)

Source: CCN
Type: nginx Web site
nginx news

Source: CCN
Type: SA55757
nginx Request URI Verification Security Bypass Security Issue

Source: SECUNIA
Type: Third Party Advisory
55757

Source: CCN
Type: SA55773
nginx Request URI Verification Security Bypass Security Issue

Source: SECUNIA
Type: Third Party Advisory
55822

Source: SECUNIA
Type: Third Party Advisory
55825

Source: DEBIAN
Type: Broken Link
DSA-2802

Source: DEBIAN
Type: DSA-2802
nginx -- restriction bypass

Source: CCN
Type: IBM Security Bulletin 1672562
SmartCloud Provisioning - Oracle CPU October 2013 and January 2014, nginx Open Source

Source: CCN
Type: OSVDB ID: 100015
nginx Crafted URI String Handling Access Restriction Bypass

Source: CCN
Type: BID-63814
nginx CVE-2013-4547 URI Processing Security Bypass Vulnerability

Source: XF
Type: UNKNOWN
nginx-cve20134547-security-bypass(89099)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-4547

Vulnerable Configuration:Configuration 1:
  • cpe:/a:f5:nginx:*:*:*:*:*:*:*:* (Version >= 0.8.41 and < 1.4.4)
  • OR cpe:/a:f5:nginx:*:*:*:*:*:*:*:* (Version >= 1.5.0 and <= 1.5.6)

    • Configuration 2:
  • cpe:/a:suse:lifecycle_management_server:1.3:*:*:*:*:*:*:*
  • OR cpe:/a:suse:studio_onsite:1.3:*:*:*:*:*:*:*
  • OR cpe:/a:suse:webyast:1.3:*:*:*:*:*:*:*
  • OR cpe:/o:opensuse:opensuse:11.4:*:*:*:*:*:*:*
  • OR cpe:/o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
  • OR cpe:/o:opensuse:opensuse:12.3:*:*:*:*:*:*:*
  • OR cpe:/o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:nginx:nginx:1.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:nginx:nginx:1.5.6:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:smartcloud_provisioning:2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:smartcloud_provisioning:2.1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:smartcloud_provisioning:2.1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:smartcloud_provisioning:2.1.0.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20134547
    V
    		CVE-2013-4547
    2022-06-30
    oval:org.opensuse.security:def:1527
    P
    		Security update for containerd, docker and runc (Important) (in QA)
    2022-06-14
    oval:org.opensuse.security:def:113030
    P
    		nginx-1.11.4-2.5 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:113396
    P
    		ruby2.7-rubygem-passenger-6.0.8-3.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106801
    P
    		Security update for libsndfile (Important)
    2022-01-11
    oval:org.opensuse.security:def:106473
    P
    		Security update for xorg-x11-server (Important)
    2021-12-20
    oval:org.opensuse.security:def:47662
    P
    		libFLAC++6-1.3.0-11.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48227
    P
    		libxml2-2-2.9.4-46.20.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47526
    P
    		wget-1.14-20.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47855
    P
    		perl-YAML-LibYAML-0.38-10.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47527
    P
    		wpa_supplicant-2.2-14.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47987
    P
    		cyrus-sasl-2.1.26-8.7.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47541
    P
    		yast2-users-3.2.11-1.47 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48079
    P
    		libXi6-1.7.4-18.6.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:1005
    P
    		gssproxy-0.8.2-3.6.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:48587
    P
    		p7zip-9.20.1-6.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48652
    P
    		xlockmore-5.43-5.30 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48441
    P
    		gvim-7.4.326-2.14 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48683
    P
    		libgio-fam-2.38.2-5.12 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48525
    P
    		libmusicbrainz4-2.1.5-27.79 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48754
    P
    		pulseaudio-module-bluetooth-5.0-2.7 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:2083
    P
    		nginx-1.14.0-1.14 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63172
    P
    		nginx-1.14.0-1.14 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:49914
    P
    		mercurial on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49968
    P
    		nginx on GA media (Moderate)
    2020-12-01
    oval:org.mitre.oval:def:20055
    P
    		DSA-2802-1 nginx - restriction bypass
    2014-06-23
    oval:com.ubuntu.precise:def:20134547000
    V
    		CVE-2013-4547 on Ubuntu 12.04 LTS (precise) - medium.
    2013-11-23
    BACK
    f5 nginx *
    f5 nginx *
    suse lifecycle management server 1.3
    suse studio onsite 1.3
    suse webyast 1.3
    opensuse opensuse 11.4
    opensuse opensuse 12.2
    opensuse opensuse 12.3
    opensuse opensuse 13.1
    nginx nginx 1.4.3
    nginx nginx 1.5.6
    ibm smartcloud provisioning 2.1
    ibm smartcloud provisioning 2.1.0.1
    ibm smartcloud provisioning 2.1.0.2
    ibm smartcloud provisioning 2.1.0.3