CVE-2014-5015

bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD, truncates paths when checking .htpasswd restrictions, which allows remote attackers to bypass the HTTP authentication scheme and access restrictions via a long path.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
eternabozohttpd
𝑥
≤ 20140201
netbsdnetbsd
5.1
netbsdnetbsd
5.2
netbsdnetbsd
6.0
netbsdnetbsd
6.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
bozohttpd
lucid
ignored
precise
ignored
trusty
Fixed 20111118-1+deb7u1build0.14.04.1
released
utopic
ignored
vivid
dne
wily
dne
xenial
dne
yakkety
dne
zesty
dne
Common Weakness Enumeration
References
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.asc
http://seclists.org/oss-sec/2014/q3/180
http://www.eterna.com.au/bozohttpd/
http://www.eterna.com.au/bozohttpd/CHANGES
http://www.osvdb.org/109283
http://www.securityfocus.com/bid/68752
https://exchange.xforce.ibmcloud.com/vulnerabilities/94751
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.asc
http://seclists.org/oss-sec/2014/q3/180
http://www.eterna.com.au/bozohttpd/
http://www.eterna.com.au/bozohttpd/CHANGES
http://www.osvdb.org/109283
http://www.securityfocus.com/bid/68752
https://exchange.xforce.ibmcloud.com/vulnerabilities/94751