Potential Security Vulnerability CVE-2013-5704

Version 1

    Verified Product Versions

    AppSense DataNow 3.6AppSense DataNow 3.5AppSense DataNow 3.0AppSense DataNow 2.0AppSense Insight 1.3AppSense Insight 1.4

    Introduction

    A security scan may falsely indicate that a DataNow or Insight appliance is potentially vulnerable to CVE-2013-5704

    Detail

    Vulnerability Summary for CVE-2013-5704

    Original release date: 04/15/2014

    Last revised: 07/16/2015

    Source: US-CERT/NIST

    Overview

    The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

    Impact CVSS Severity (version 2.0):

    CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:P/A:N) (legend)

    Impact Subscore: 2.9

    Exploitability Subscore: 10.0

    CVSS Version 2 Metrics:

    Access Vector: Network exploitable

    Access Complexity: Low

    Authentication: Not required to exploit

    Impact Type: Allows unauthorized modification

    This false positive is reported by some vulnerability scanners because the mod_headers apache module is vulnerable in versions of Apache prior to 2.2.22

    This module is not used in the Apache configuration for DataNow.

    This false positive can safely be ignored