CVE-2014-5015

bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD, truncates paths when checking .htpasswd restrictions, which allows remote attackers to bypass the HTTP authentication scheme and access restrictions via a long path.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:N/A:N
debianCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 67%
VendorProductVersion
eternabozohttpd
𝑥
≤ 20140201
netbsdnetbsd
5.1
netbsdnetbsd
5.2
netbsdnetbsd
6.0
netbsdnetbsd
6.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
bozohttpd
zesty
dne
yakkety
dne
xenial
dne
wily
dne
vivid
dne
utopic
ignored
trusty
Fixed 20111118-1+deb7u1build0.14.04.1
released
precise
ignored
lucid
ignored
Common Weakness Enumeration
References
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.asc
http://seclists.org/oss-sec/2014/q3/180
http://www.eterna.com.au/bozohttpd/
http://www.eterna.com.au/bozohttpd/CHANGES
http://www.osvdb.org/109283
http://www.securityfocus.com/bid/68752
https://exchange.xforce.ibmcloud.com/vulnerabilities/94751
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.asc
http://seclists.org/oss-sec/2014/q3/180
http://www.eterna.com.au/bozohttpd/
http://www.eterna.com.au/bozohttpd/CHANGES
http://www.osvdb.org/109283
http://www.securityfocus.com/bid/68752
https://exchange.xforce.ibmcloud.com/vulnerabilities/94751