CVE-2013-4547 - OpenCVE

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
F5	Nginx
Opensuse	Opensuse
Suse	Lifecycle Management Server Studio Onsite Webyast

Configuration 1 [-]

OR	cpe:2.3:a:f5:nginx::::::::
	cpe:2.3:a:f5:nginx::::::::

Configuration 2 [-]

OR	cpe:2.3:a:suse:lifecycle_management_server:1.3:::::::*
	cpe:2.3:a:suse:studio_onsite:1.3:::::::*
	cpe:2.3:a:suse:webyast:1.3:::::::*
	cpe:2.3:o:opensuse:opensuse:11.4:::::::*
	cpe:2.3:o:opensuse:opensuse:12.2:::::::*
	cpe:2.3:o:opensuse:opensuse:12.3:::::::*
	cpe:2.3:o:opensuse:opensuse:13.1:::::::*

No data.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00007.html
http://lists.opensuse.org/opensuse-updates/2013-11/msg00084.html
http://lists.opensuse.org/opensuse-updates/2013-11/msg00118.html
http://lists.opensuse.org/opensuse-updates/2013-11/msg00119.html
http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html
http://secunia.com/advisories/55757
http://secunia.com/advisories/55822
http://secunia.com/advisories/55825
http://www.debian.org/security/2012/dsa-2802

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2013-11-23T18:00:00

Updated: 2024-08-06T16:45:15.058Z

Reserved: 2013-06-12T00:00:00

Link: CVE-2013-4547

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2013-11-23T18:55:04.687

Modified: 2021-11-10T15:59:33.657

Link: CVE-2013-4547

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-11-19T00:00:00", "descriptions": [{"lang": "en", "value": "nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-12-17T15:57:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "55757", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/55757"}, {"name": "SUSE-SU-2013:1895", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00007.html"}, {"name": "openSUSE-SU-2013:1745", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00084.html"}, {"name": "55825", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/55825"}, {"name": "55822", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/55822"}, {"name": "openSUSE-SU-2013:1792", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00119.html"}, {"name": "openSUSE-SU-2013:1791", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00118.html"}, {"name": "DSA-2802", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2012/dsa-2802"}, {"name": "[nginx-announce] 20131119 nginx security advisory (CVE-2013-4547)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2013-4547", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "55757", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/55757"}, {"name": "SUSE-SU-2013:1895", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00007.html"}, {"name": "openSUSE-SU-2013:1745", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00084.html"}, {"name": "55825", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/55825"}, {"name": "55822", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/55822"}, {"name": "openSUSE-SU-2013:1792", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00119.html"}, {"name": "openSUSE-SU-2013:1791", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00118.html"}, {"name": "DSA-2802", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2012/dsa-2802"}, {"name": "[nginx-announce] 20131119 nginx security advisory (CVE-2013-4547)", "refsource": "MLIST", "url": "http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T16:45:15.058Z"}, "title": "CVE Program Container", "references": [{"name": "55757", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/55757"}, {"name": "SUSE-SU-2013:1895", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00007.html"}, {"name": "openSUSE-SU-2013:1745", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00084.html"}, {"name": "55825", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/55825"}, {"name": "55822", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/55822"}, {"name": "openSUSE-SU-2013:1792", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00119.html"}, {"name": "openSUSE-SU-2013:1791", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00118.html"}, {"name": "DSA-2802", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2012/dsa-2802"}, {"name": "[nginx-announce] 20131119 nginx security advisory (CVE-2013-4547)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-4547", "datePublished": "2013-11-23T18:00:00", "dateReserved": "2013-06-12T00:00:00", "dateUpdated": "2024-08-06T16:45:15.058Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*", "matchCriteriaId": "3EDD62AC-01DD-479D-A0A9-D703063840DE", "versionEndExcluding": "1.4.4", "versionStartIncluding": "0.8.41", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*", "matchCriteriaId": "C743469D-8933-43A6-ABAF-28E68B12A3C1", "versionEndIncluding": "1.5.6", "versionStartIncluding": "1.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suse:lifecycle_management_server:1.3:*:*:*:*:*:*:*", "matchCriteriaId": "723DEC97-DB25-4010-81FB-E47FF04EEDD3", "vulnerable": true}, {"criteria": "cpe:2.3:a:suse:studio_onsite:1.3:*:*:*:*:*:*:*", "matchCriteriaId": "74BCA435-7594-49E8-9BAE-9E02E129B6C0", "vulnerable": true}, {"criteria": "cpe:2.3:a:suse:webyast:1.3:*:*:*:*:*:*:*", "matchCriteriaId": "EDC5169C-7B9A-4269-92F4-638374B79CD8", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*", "matchCriteriaId": "DE554781-1EB9-446E-911F-6C11970C47F4", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*", "matchCriteriaId": "D806A17E-B8F9-466D-807D-3F1E77603DC8", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*", "matchCriteriaId": "DFBF430B-0832-44B0-AA0E-BA9E467F7668", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI."}, {"lang": "es", "value": "nginx 0.8.41 hasta la versi\u00f3n 1.4.3 y 1.5.x anterior a la versi\u00f3n 1.5.7 permite a atacantes remotos evadir restricciones intencionadas a trav\u00e9s de un car\u00e1cter de espacio sin escape en una URI."}], "id": "CVE-2013-4547", "lastModified": "2021-11-10T15:59:33.657", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-11-23T18:55:04.687", "references": [{"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00007.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00084.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00118.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00119.html"}, {"source": "secalert@redhat.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/55757"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/55822"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/55825"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://www.debian.org/security/2012/dsa-2802"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "nvd@nist.gov", "type": "Primary"}]}