The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."
CVSS v2.0 Score
4.3
/ 10.0
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Information
- Published
- 5 juil. 2005
- Updated
- 16 avr. 2026
- Status
- Modified
- Source
- secalert@redhat.com
Affected products
apache http serverAll Apache HTTP Server CVEs →
Versions : 2.0.55
debian debian linux
Versions : 3.0, 3.1
Weaknesses (CWE)
CWE-444
References (118)
- http://marc.info/?l=apache-httpd-announce&m=112931556417329&w=3Mailing ListThird Party Advisory
- http://seclists.org/lists/bugtraq/2005/Jun/0025.htmlIssue TrackingMailing ListThird Party Advisory
- http://secunia.com/advisories/14530Not Applicable
- http://secunia.com/advisories/17319Not Applicable
- http://secunia.com/advisories/17487Not Applicable
- http://secunia.com/advisories/17813Not Applicable
- http://secunia.com/advisories/19072Not Applicable
- http://secunia.com/advisories/19073Not Applicable
- http://secunia.com/advisories/19185Not Applicable
- http://secunia.com/advisories/19317Not Applicable
- http://secunia.com/advisories/23074Not Applicable
- http://securityreason.com/securityalert/604ExploitThird Party Advisory
- http://securitytracker.com/id?1014323Broken LinkThird Party AdvisoryVDB Entry
- + 103 more references on NVD
Similar CVEs
Other vulnerabilities of type CWE-444
Loading…
Monitor your products
Get automatic alerts for every new CVE affecting your equipment.