{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37999?format=json","vulnerability_id":"VCID-776a-5amc-5fhb","summary":"Header overwriting\nIt is possible in some cases, for clients to overwrite headers set by the server, resulting in a medium level security issue. Passenger 5 uses an SCGI-inspired format to pass headers to Ruby/Python applications, while Passenger 4 uses an SCGI-inspired format to pass headers to all applications. This implies a conversion to UPPER_CASE_WITH_UNDERSCORES whereby the difference between characters like '-' and '_' is lost. See \"Affected use-cases\" in provided link to establish wether one particular application is affected.","aliases":[{"alias":"CVE-2015-7519"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52476?format=json","purl":"pkg:gem/passenger@4.0.60","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/passenger@4.0.60"},{"url":"http://public2.vulnerablecode.io/api/packages/52477?format=json","purl":"pkg:gem/passenger@5.0.22","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/passenger@5.0.22"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52474?format=json","purl":"pkg:gem/passenger@4.0.0a","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-776a-5amc-5fhb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/passenger@4.0.0a"},{"url":"http://public2.vulnerablecode.io/api/packages/52475?format=json","purl":"pkg:gem/passenger@5.0.0a","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-776a-5amc-5fhb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/passenger@5.0.0a"}],"references":[{"reference_url":"https://blog.phusion.nl/2015/12/07/cve-2015-7519/","reference_id":"CVE-2015-7519","reference_type":"","scores":[],"url":"https://blog.phusion.nl/2015/12/07/cve-2015-7519/"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":20,"name":"Improper Input Validation","description":"The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-776a-5amc-5fhb"}