Vulnerability CVE-2013-5705

Vulnerability Name:

CVE-2013-5705 (CCN-92236)

Assigned:

2013-09-05

Published:

2014-03-31

Updated:

2021-02-12

Summary:

apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2013-5705

Source: MISC
Type: Exploit, Third Party Advisory
http://martin.swende.se/blog/HTTPChunked.html

Source: CCN
Type: SA57444
ModSecurity HTTP Requests Chunked Encoding Security Bypass Vulnerability

Source: DEBIAN
Type: Third Party Advisory
DSA-2991

Source: CCN
Type: IBM Security Bulletin 1683965
IBM PureApplication System - ModSecurity chunked header security bypass

Source: CCN
Type: ModSecurity Web site
ModSecurity: Open Source Web Application Firewall

Source: CCN
Type: BID-66552
ModSecurity 'modsecurity.c' Security Bypass Vulnerability

Source: XF
Type: UNKNOWN
modescurity-cve20135705-sec-bypass(92236)

Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/SpiderLabs/ModSecurity/commit/f8d441cd25172fdfe5b613442fedfc0da3cc333d

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-5705

Vulnerable Configuration:

Configuration 1:

cpe:/a:trustwave:modsecurity:*:*:*:*:*:*:*:* (Version < 2.7.6)

Configuration 2:

cpe:/o:debian:debian_linux:7.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:trustwave:modsecurity:2.7.4:*:*:*:*:*:*:*

AND

cpe:/a:ibm:pureapplication_system:1.1.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:pureapplication_system:1.1.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:pureapplication_system:1.1.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:pureapplication_system:1.1.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:pureapplication_system:1.1.0.4:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20135705	V	CVE-2013-5705	2022-05-20
oval:org.opensuse.security:def:33050	P	Security update for the Linux Kernel (Important)	2021-11-30
oval:org.opensuse.security:def:32219	P	Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)	2021-11-19
oval:org.opensuse.security:def:33011	P	Security update for hivex (Moderate)	2021-09-23
oval:org.opensuse.security:def:32163	P	Security update for MozillaFirefox (Important)	2021-08-17
oval:org.opensuse.security:def:33675	P	Security update for apache2 (Important)	2021-06-17
oval:org.opensuse.security:def:31639	P	Security update for freeradius-server (Moderate)	2021-06-11
oval:org.opensuse.security:def:36087	P	apache2-mod_security2-2.7.1-0.2.18.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:42494	P	apache2-mod_security2-2.7.1-0.2.18.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:33921	P	Security update for the Linux Kernel (Important)	2021-06-08
oval:org.opensuse.security:def:30087	P	Security update for libX11 (Important)	2021-06-08
oval:org.opensuse.security:def:26062	P	Security update for djvulibre (Important)	2021-05-31
oval:org.opensuse.security:def:26213	P	Security update for evolution-data-server (Moderate)	2021-03-19
oval:org.opensuse.security:def:30043	P	Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP2) (Important)	2021-03-17
oval:org.opensuse.security:def:32268	P	Security update for openldap2 (Important)	2021-03-03
oval:org.opensuse.security:def:34028	P	Security update for java-1_8_0-openjdk (Moderate)	2021-02-19
oval:org.opensuse.security:def:30024	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:33764	P	Security update for openvswitch (Important)	2021-02-15
oval:org.opensuse.security:def:33979	P	Security update for java-1_8_0-ibm (Moderate)	2021-01-05
oval:org.opensuse.security:def:29367	P	Security update for flac (Moderate)	2021-01-04
oval:org.opensuse.security:def:31565	P	Security update for openssl (Important)	2020-12-11
oval:org.opensuse.security:def:32007	P	Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) (Important)	2020-12-07
oval:org.opensuse.security:def:33618	P	Security update for postgresql12 (Important)	2020-12-04
oval:org.opensuse.security:def:32307	P	Security update for python (Important)	2020-12-01
oval:org.opensuse.security:def:33295	P	xorg-x11-libXext-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25636	P	Security update for libproxy (Important)	2020-12-01
oval:org.opensuse.security:def:29642	P	Security update for CUPS	2020-12-01
oval:org.opensuse.security:def:30725	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:31771	P	Security update for MozillaFirefox, MozillaFirefox-branding-SLED, firefox-gcc5, mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:32329	P	Security update for samba (Moderate)	2020-12-01
oval:org.opensuse.security:def:33306	P	yast2-core on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25637	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:26266	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:29728	P	Security update for MozillaFirefox, firefox-glib2, firefox-gtk3 (Important)	2020-12-01
oval:org.opensuse.security:def:30762	P	Security update for apache2-mod_security2	2020-12-01
oval:org.opensuse.security:def:31863	P	Security update for curl (Moderate)	2020-12-01
oval:org.opensuse.security:def:32373	P	Security update for tcpdump (Important)	2020-12-01
oval:org.opensuse.security:def:33387	P	Security update for compat-openssl097g (Moderate)	2020-12-01
oval:org.opensuse.security:def:34067	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25648	P	Security update for python36 (Important)	2020-12-01
oval:org.opensuse.security:def:26315	P	Security update for MozillaThunderbird (Moderate)	2020-12-01
oval:org.opensuse.security:def:29284	P	Security update for xorg-x11-server (Important)	2020-12-01
oval:org.opensuse.security:def:29881	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:31920	P	Security update for ghostscript-library (Important)	2020-12-01
oval:org.opensuse.security:def:33522	P	Security update for sudo	2020-12-01
oval:org.opensuse.security:def:34092	P	Security update for mgetty (Moderate)	2020-12-01
oval:org.opensuse.security:def:25712	P	Security update for python36 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26354	P	Security update for chromium (Important)	2020-12-01
oval:org.opensuse.security:def:29285	P	Security update for xorg-x11-server (Important)	2020-12-01
oval:org.opensuse.security:def:29936	P	Security update for libidn (Moderate)	2020-12-01
oval:org.opensuse.security:def:34136	P	Security update for ntp (Moderate)	2020-12-01
oval:org.opensuse.security:def:25840	P	Security update for libvirt (Moderate)	2020-12-01
oval:org.opensuse.security:def:26368	P	Security update for irssi (Moderate)	2020-12-01
oval:org.opensuse.security:def:29296	P	Security update for xorg-x11-server (Important)	2020-12-01
oval:org.opensuse.security:def:29985	P	Security update for libssh2_org (Moderate)	2020-12-01
oval:org.opensuse.security:def:31553	P	Security update for sqlite3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:34774	P	Security update for MozillaFirefox (Moderate)	2020-12-01
oval:org.opensuse.security:def:25921	P	Recommended update for mariadb (Important)	2020-12-01
oval:org.opensuse.security:def:26412	P	Security update for tor (Moderate)	2020-12-01
oval:org.opensuse.security:def:31554	P	Security update for sqlite3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:34814	P	Security update for apache2-mod_security2	2020-12-01
oval:org.opensuse.security:def:25978	P	Security update for tcpdump, libpcap (Moderate)	2020-12-01
oval:org.opensuse.security:def:27050	P	virt-utils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29498	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:33294	P	xorg-x11-libX11-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27085	P	apache2-mod_security2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29585	P	Security update for apache2-mod_jk (Moderate)	2020-12-01
oval:org.mitre.oval:def:26118	P	SUSE-SU-2014:0972-1 -- Security update for apache2-mod_security2	2014-10-13
oval:org.mitre.oval:def:26297	P	DSA-2991-1 -- modsecurity-apache - security update	2014-10-06
oval:com.ubuntu.precise:def:20135705000	V	CVE-2013-5705 on Ubuntu 12.04 LTS (precise) - medium.	2014-04-15
oval:com.ubuntu.trusty:def:20135705000	V	CVE-2013-5705 on Ubuntu 14.04 LTS (trusty) - medium.	2014-04-15
oval:com.ubuntu.xenial:def:20135705000	V	CVE-2013-5705 on Ubuntu 16.04 LTS (xenial) - medium.	2014-04-15
oval:com.ubuntu.xenial:def:201357050000000	V	CVE-2013-5705 on Ubuntu 16.04 LTS (xenial) - medium.	2014-04-15

BACK