What is the severity of CVE-2013-5704?

CVE-2013-5704 is considered a low-severity vulnerability as the vendor has stated it is not a security issue in Apache HTTP Server.

How do I fix CVE-2013-5704?

To mitigate CVE-2013-5704, upgrade to Apache HTTP Server version 2.2.29 or 2.4.11 or later.

What versions of Apache HTTP Server are affected by CVE-2013-5704?

CVE-2013-5704 affects Apache HTTP Server versions 2.2.22 and earlier, including various other specified versions.

Can CVE-2013-5704 lead to remote code execution?

No, CVE-2013-5704 does not lead to remote code execution but allows for header manipulation.

Is CVE-2013-5704 a exploitation risk to my server?

The risk from CVE-2013-5704 is limited; however, it can be leveraged in specific scenarios to bypass security headers.

Vulnerability/
CVE-2013-5704

medium

1/4/2014

15/4/2014

6/8/2024

CVE-2013-5704

First published: Tue Apr 01 2014(Updated: )

The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
redhat/httpd	<2.2.29	2.2.29
redhat/httpd	<2.4.11	2.4.11
Apache Http Server	=2.2.0
Apache Http Server	=2.2.2
Apache Http Server	=2.2.3
Apache Http Server	=2.2.4
Apache Http Server	=2.2.5
Apache Http Server	=2.2.6
Apache Http Server	=2.2.8
Apache Http Server	=2.2.9
Apache Http Server	=2.2.10
Apache Http Server	=2.2.11
Apache Http Server	=2.2.12
Apache Http Server	=2.2.13
Apache Http Server	=2.2.14
Apache Http Server	=2.2.15
Apache Http Server	=2.2.16
Apache Http Server	=2.2.17
Apache Http Server	=2.2.18
Apache Http Server	=2.2.19
Apache Http Server	=2.2.20
Apache Http Server	=2.2.21
Apache Http Server	=2.2.22
Apache Http Server	=2.2.23
Apache Http Server	=2.2.24
Apache Http Server	=2.2.25
Apache Http Server	=2.2.26
Apache Http Server	=2.2.27
Apache Http Server	=2.4.1
Apache Http Server	=2.4.2
Apache Http Server	=2.4.3
Apache Http Server	=2.4.4
Apache Http Server	=2.4.6
Apache Http Server	=2.4.7
Apache Http Server	=2.4.9
Apache Http Server	=2.4.10
Red Hat Enterprise Linux Desktop	=6.0
Red Hat Enterprise Linux Desktop	=7.0
Red Hat Enterprise Linux Server EUS	=7.3
Red Hat Enterprise Linux Server EUS	=7.4
Red Hat Enterprise Linux Server EUS	=7.5
Red Hat Enterprise Linux Server EUS	=7.6
Red Hat Enterprise Linux Server EUS	=7.7
Red Hat Enterprise Linux Server	=6.0
Red Hat Enterprise Linux Server	=7.0
Red Hat Enterprise Linux Server	=7.3
Red Hat Enterprise Linux Server	=7.4
Red Hat Enterprise Linux Server	=7.6
Red Hat Enterprise Linux Server	=7.7
Red Hat Enterprise Linux Server	=7.3
Red Hat Enterprise Linux Server	=7.6
Red Hat Enterprise Linux Server	=7.7
Red Hat Enterprise Linux Workstation	=6.0
Red Hat Enterprise Linux Workstation	=7.0
Red Hat JBoss Enterprise Web Server	=3.0.0
Red Hat Enterprise Linux	=6.0
Red Hat Enterprise Linux	=7.0
Red Hat JBoss Enterprise Web Server	=2.0.0
Red Hat Enterprise Linux	=5.0
Oracle Enterprise Manager Ops Center	<12.1.4
Oracle Enterprise Manager Ops Center	=12.1.4
Oracle Enterprise Manager Ops Center	=12.2.0
Oracle Enterprise Manager Ops Center	=12.2.1
Oracle Enterprise Manager Ops Center	=12.3.0
Oracle HTTP Server	=10.1.3.5.0
Oracle HTTP Server	=11.1.1.7.0
Oracle HTTP Server	=12.1.2.0
Oracle HTTP Server	=12.1.3.0
Oracle Linux	=6
Oracle Solaris and Zettabyte File System (ZFS)	=11.2
Apple iOS and macOS	<10.10.4
Apple iOS and macOS	<5.0.3
Ubuntu	=10.04
Ubuntu	=12.04
Ubuntu	=14.04
Ubuntu	=14.10

Remedy

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c

Remedy

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=1610674&r2=1610814&diff_format=h

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2013-5704?
CVE-2013-5704 is considered a low-severity vulnerability as the vendor has stated it is not a security issue in Apache HTTP Server.
How do I fix CVE-2013-5704?
To mitigate CVE-2013-5704, upgrade to Apache HTTP Server version 2.2.29 or 2.4.11 or later.
What versions of Apache HTTP Server are affected by CVE-2013-5704?
CVE-2013-5704 affects Apache HTTP Server versions 2.2.22 and earlier, including various other specified versions.
Can CVE-2013-5704 lead to remote code execution?
No, CVE-2013-5704 does not lead to remote code execution but allows for header manipulation.
Is CVE-2013-5704 a exploitation risk to my server?
The risk from CVE-2013-5704 is limited; however, it can be leveraged in specific scenarios to bypass security headers.

agent/type
agent/remedy
agent/first-publish-date
agent/severity
agent/author
agent/description
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2013-5704
agent/software-canonical-lookup
collector/mitre-cve
source/MITRE
agent/references
agent/last-modified-date
agent/event
agent/source
agent/tags
agent/softwarecombine
collector/nvd-index
agent/software-canonical-lookup-request
package-manager/redhat
vendor/apache
canonical/apache http server
version/apache http server/2.2.0
version/apache http server/2.2.2
version/apache http server/2.2.3
version/apache http server/2.2.4
version/apache http server/2.2.5
version/apache http server/2.2.6
version/apache http server/2.2.8
version/apache http server/2.2.9
version/apache http server/2.2.10
version/apache http server/2.2.11
version/apache http server/2.2.12
version/apache http server/2.2.13
version/apache http server/2.2.14
version/apache http server/2.2.15
version/apache http server/2.2.16
version/apache http server/2.2.17
version/apache http server/2.2.18
version/apache http server/2.2.19
version/apache http server/2.2.20
version/apache http server/2.2.21
version/apache http server/2.2.22
version/apache http server/2.2.23
version/apache http server/2.2.24
version/apache http server/2.2.25
version/apache http server/2.2.26
version/apache http server/2.2.27
version/apache http server/2.4.1
version/apache http server/2.4.2
version/apache http server/2.4.3
version/apache http server/2.4.4
version/apache http server/2.4.6
version/apache http server/2.4.7
version/apache http server/2.4.9
version/apache http server/2.4.10
vendor/redhat
canonical/red hat enterprise linux desktop
version/red hat enterprise linux desktop/6.0
version/red hat enterprise linux desktop/7.0
canonical/red hat enterprise linux server eus
version/red hat enterprise linux server eus/7.3
version/red hat enterprise linux server eus/7.4
version/red hat enterprise linux server eus/7.5
version/red hat enterprise linux server eus/7.6
version/red hat enterprise linux server eus/7.7
canonical/red hat enterprise linux server
version/red hat enterprise linux server/6.0
version/red hat enterprise linux server/7.0
version/red hat enterprise linux server/7.3
version/red hat enterprise linux server/7.4
version/red hat enterprise linux server/7.6
version/red hat enterprise linux server/7.7
canonical/red hat enterprise linux workstation
version/red hat enterprise linux workstation/6.0
version/red hat enterprise linux workstation/7.0
canonical/red hat jboss enterprise web server
version/red hat jboss enterprise web server/3.0.0
canonical/red hat enterprise linux
version/red hat enterprise linux/6.0
version/red hat enterprise linux/7.0
version/red hat jboss enterprise web server/2.0.0
version/red hat enterprise linux/5.0
vendor/oracle
canonical/oracle enterprise manager ops center
version/oracle enterprise manager ops center/12.1.4
version/oracle enterprise manager ops center/12.2.0
version/oracle enterprise manager ops center/12.2.1
version/oracle enterprise manager ops center/12.3.0
canonical/oracle http server
version/oracle http server/10.1.3.5.0
version/oracle http server/11.1.1.7.0
version/oracle http server/12.1.2.0
version/oracle http server/12.1.3.0
canonical/oracle linux
version/oracle linux/6
canonical/oracle solaris and zettabyte file system (zfs)
version/oracle solaris and zettabyte file system (zfs)/11.2
vendor/apple
canonical/apple ios and macos
vendor/canonical
canonical/ubuntu
version/ubuntu/10.04
version/ubuntu/12.04
version/ubuntu/14.04
version/ubuntu/14.10

CVE-2013-5704

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2013-5704?

How do I fix CVE-2013-5704?

What versions of Apache HTTP Server are affected by CVE-2013-5704?

Can CVE-2013-5704 lead to remote code execution?

Is CVE-2013-5704 a exploitation risk to my server?

Company

Resources

Contact