FKIE_CVE-2014-5015

Vulnerability from fkie_nvd - Published: 2014-07-24 14:55 - Updated: 2025-04-12 10:46
Severity ?
Summary
bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD, truncates paths when checking .htpasswd restrictions, which allows remote attackers to bypass the HTTP authentication scheme and access restrictions via a long path.
References
security@debian.orgftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.ascVendor Advisory
security@debian.orghttp://seclists.org/oss-sec/2014/q3/180
security@debian.orghttp://www.eterna.com.au/bozohttpd/Patch
security@debian.orghttp://www.eterna.com.au/bozohttpd/CHANGES
security@debian.orghttp://www.osvdb.org/109283
security@debian.orghttp://www.securityfocus.com/bid/68752
security@debian.orghttps://exchange.xforce.ibmcloud.com/vulnerabilities/94751
af854a3a-2127-422b-91ae-364da2661108ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.ascVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/oss-sec/2014/q3/180
af854a3a-2127-422b-91ae-364da2661108http://www.eterna.com.au/bozohttpd/Patch
af854a3a-2127-422b-91ae-364da2661108http://www.eterna.com.au/bozohttpd/CHANGES
af854a3a-2127-422b-91ae-364da2661108http://www.osvdb.org/109283
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/68752
af854a3a-2127-422b-91ae-364da2661108https://exchange.xforce.ibmcloud.com/vulnerabilities/94751
Impacted products
Vendor Product Version
eterna bozohttpd *
eterna bozohttpd 19990519
eterna bozohttpd 20000421
eterna bozohttpd 20000426
eterna bozohttpd 20000427
eterna bozohttpd 20000815
eterna bozohttpd 20000825
eterna bozohttpd 20010610
eterna bozohttpd 20010812
eterna bozohttpd 20010922
eterna bozohttpd 20020710
eterna bozohttpd 20020730
eterna bozohttpd 20020803
eterna bozohttpd 20020804
eterna bozohttpd 20020823
eterna bozohttpd 20020913
eterna bozohttpd 20021106
eterna bozohttpd 20030313
eterna bozohttpd 20030409
eterna bozohttpd 20030626
eterna bozohttpd 20031005
eterna bozohttpd 20040218
eterna bozohttpd 20040808
eterna bozohttpd 20050410
eterna bozohttpd 20060517
eterna bozohttpd 20060710
eterna bozohttpd 20080303
eterna bozohttpd 20090417
eterna bozohttpd 20090522
eterna bozohttpd 20100509
eterna bozohttpd 20100512
eterna bozohttpd 20100617
eterna bozohttpd 20100621
eterna bozohttpd 20100920
eterna bozohttpd 20111118
eterna bozohttpd 20140102
netbsd netbsd 5.1
netbsd netbsd 5.2
netbsd netbsd 6.0
netbsd netbsd 6.1
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EF2AF0F-2373-43F6-8148-914EF4D178E5",
              "versionEndIncluding": "20140201",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:19990519:*:*:*:*:*:*:*",
              "matchCriteriaId": "A5BA38EE-559D-4341-8291-788C74EE4346",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20000421:*:*:*:*:*:*:*",
              "matchCriteriaId": "930F7A3F-A7C8-4603-A4E5-9AB3C27F7355",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20000426:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0A6287D-F9C0-4934-84CA-22572806AE26",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20000427:*:*:*:*:*:*:*",
              "matchCriteriaId": "0A9C2032-F26A-4D5B-A631-4EA68ABD4FE1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20000815:*:*:*:*:*:*:*",
              "matchCriteriaId": "860DBF31-9655-417A-B2C7-5F389B675FB6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20000825:*:*:*:*:*:*:*",
              "matchCriteriaId": "E72B5243-904B-4E12-BD28-DDF03EEF6B45",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20010610:*:*:*:*:*:*:*",
              "matchCriteriaId": "7FC42DDE-41C9-4DAA-8EB5-CC5D5FFDCCC9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20010812:*:*:*:*:*:*:*",
              "matchCriteriaId": "17457601-F61A-444D-8E33-0FE0ED723F61",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20010922:*:*:*:*:*:*:*",
              "matchCriteriaId": "20EAEC35-E205-4717-826D-F4D1FCA6DC6C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20020710:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA4A13CA-DCB0-4C1F-A3DA-27A36BC116B8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20020730:*:*:*:*:*:*:*",
              "matchCriteriaId": "3D86758B-C34A-4689-9B3A-9CF614D2E4F9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20020803:*:*:*:*:*:*:*",
              "matchCriteriaId": "732DBCCD-B38A-47B7-BD4B-4EE4CF370AF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20020804:*:*:*:*:*:*:*",
              "matchCriteriaId": "9FB916FC-4FB9-48EF-8D46-26C29D35DCD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20020823:*:*:*:*:*:*:*",
              "matchCriteriaId": "EAB26F26-3B1E-44BB-A8D1-FB823C2759B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20020913:*:*:*:*:*:*:*",
              "matchCriteriaId": "5D2148E4-FB12-4613-8F55-1AB364363BFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20021106:*:*:*:*:*:*:*",
              "matchCriteriaId": "C8EFEEB4-07C3-459F-A807-12A21AFD94F9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20030313:*:*:*:*:*:*:*",
              "matchCriteriaId": "30FA69A8-657F-44A0-999D-89EA7E24072E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20030409:*:*:*:*:*:*:*",
              "matchCriteriaId": "B41528DD-A3C0-40D9-9DCC-4C7962337BAA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20030626:*:*:*:*:*:*:*",
              "matchCriteriaId": "274EC529-8C50-44C3-96AE-9C636C9183B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20031005:*:*:*:*:*:*:*",
              "matchCriteriaId": "38A29464-13AF-474E-B0F6-BF65F44B3EE6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20040218:*:*:*:*:*:*:*",
              "matchCriteriaId": "579B9F00-9093-4D4B-9F19-0FBDA141FD31",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20040808:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB017665-6823-407E-AFF3-5A8C1848B3E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20050410:*:*:*:*:*:*:*",
              "matchCriteriaId": "13BE5871-6AB5-4A4B-BD7B-59D7D6161867",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20060517:*:*:*:*:*:*:*",
              "matchCriteriaId": "7E00FD78-FCBF-4D10-AC00-73B6838758B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20060710:*:*:*:*:*:*:*",
              "matchCriteriaId": "162B8DC7-76B5-45E3-8DF3-62C32AB0FB2B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20080303:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7BAA49A-41BA-436B-902C-FCDE8C156C2E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20090417:*:*:*:*:*:*:*",
              "matchCriteriaId": "A8280988-55E3-4A94-93E3-1064A8B54C8E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20090522:*:*:*:*:*:*:*",
              "matchCriteriaId": "A1668326-2B90-4D98-859C-CFDFD7811E13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20100509:*:*:*:*:*:*:*",
              "matchCriteriaId": "620F61ED-B77F-48B7-93EA-7089A9C0BBE9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20100512:*:*:*:*:*:*:*",
              "matchCriteriaId": "C4F081AF-5022-44B4-BBB7-108374DDFADB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20100617:*:*:*:*:*:*:*",
              "matchCriteriaId": "68B361C0-AC14-4386-8AA1-94273A1B3FF1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20100621:*:*:*:*:*:*:*",
              "matchCriteriaId": "ECE40B8D-B3EA-427A-8539-E9F502806279",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20100920:*:*:*:*:*:*:*",
              "matchCriteriaId": "3725C5D4-E464-4E64-BA2E-F6A60F5E4B9C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20111118:*:*:*:*:*:*:*",
              "matchCriteriaId": "75CFA0D4-530C-4B15-B6D8-8D5E92E1A50F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20140102:*:*:*:*:*:*:*",
              "matchCriteriaId": "7845A2CA-B83F-479A-B263-9824F13B21BC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:netbsd:netbsd:5.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "730917F8-E1F4-4836-B05A-16B2BA5774DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:netbsd:netbsd:5.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "3407906D-EF23-4812-A597-F0E863DE17B6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:netbsd:netbsd:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C23BD3A0-E5AD-4893-AAAF-E2858B4128CF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:netbsd:netbsd:6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "69CAE756-335E-4E02-83F9-B274D416775C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD, truncates paths when checking .htpasswd restrictions, which allows remote attackers to bypass the HTTP authentication scheme and access restrictions via a long path."
    },
    {
      "lang": "es",
      "value": "El servidor HTTP bozotic (tambi\u00e9n conocido como bozohttpd) anterior a 20140708, utilizado en NetBSD, trunca las rutas cuando compruebe las restricciones .htpasswd, lo que permite a atacantes remotos evadir la esquema de la autenticaci\u00f3n HTTP y acceder a las restricciones a trav\u00e9s de una ruta larga."
    }
  ],
  "id": "CVE-2014-5015",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2014-07-24T14:55:09.583",
  "references": [
    {
      "source": "security@debian.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.asc"
    },
    {
      "source": "security@debian.org",
      "url": "http://seclists.org/oss-sec/2014/q3/180"
    },
    {
      "source": "security@debian.org",
      "tags": [
        "Patch"
      ],
      "url": "http://www.eterna.com.au/bozohttpd/"
    },
    {
      "source": "security@debian.org",
      "url": "http://www.eterna.com.au/bozohttpd/CHANGES"
    },
    {
      "source": "security@debian.org",
      "url": "http://www.osvdb.org/109283"
    },
    {
      "source": "security@debian.org",
      "url": "http://www.securityfocus.com/bid/68752"
    },
    {
      "source": "security@debian.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/94751"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.asc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://seclists.org/oss-sec/2014/q3/180"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.eterna.com.au/bozohttpd/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.eterna.com.au/bozohttpd/CHANGES"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.osvdb.org/109283"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/68752"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/94751"
    }
  ],
  "sourceIdentifier": "security@debian.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.