fkie_cve-2014-5015
Vulnerability from fkie_nvd
Published
2014-07-24 14:55
Modified
2025-04-12 10:46
Severity ?
Summary
bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD, truncates paths when checking .htpasswd restrictions, which allows remote attackers to bypass the HTTP authentication scheme and access restrictions via a long path.
Impacted products
Vendor Product Version
eterna bozohttpd *
eterna bozohttpd 19990519
eterna bozohttpd 20000421
eterna bozohttpd 20000426
eterna bozohttpd 20000427
eterna bozohttpd 20000815
eterna bozohttpd 20000825
eterna bozohttpd 20010610
eterna bozohttpd 20010812
eterna bozohttpd 20010922
eterna bozohttpd 20020710
eterna bozohttpd 20020730
eterna bozohttpd 20020803
eterna bozohttpd 20020804
eterna bozohttpd 20020823
eterna bozohttpd 20020913
eterna bozohttpd 20021106
eterna bozohttpd 20030313
eterna bozohttpd 20030409
eterna bozohttpd 20030626
eterna bozohttpd 20031005
eterna bozohttpd 20040218
eterna bozohttpd 20040808
eterna bozohttpd 20050410
eterna bozohttpd 20060517
eterna bozohttpd 20060710
eterna bozohttpd 20080303
eterna bozohttpd 20090417
eterna bozohttpd 20090522
eterna bozohttpd 20100509
eterna bozohttpd 20100512
eterna bozohttpd 20100617
eterna bozohttpd 20100621
eterna bozohttpd 20100920
eterna bozohttpd 20111118
eterna bozohttpd 20140102
netbsd netbsd 5.1
netbsd netbsd 5.2
netbsd netbsd 6.0
netbsd netbsd 6.1



{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EF2AF0F-2373-43F6-8148-914EF4D178E5",
              "versionEndIncluding": "20140201",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:19990519:*:*:*:*:*:*:*",
              "matchCriteriaId": "A5BA38EE-559D-4341-8291-788C74EE4346",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20000421:*:*:*:*:*:*:*",
              "matchCriteriaId": "930F7A3F-A7C8-4603-A4E5-9AB3C27F7355",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20000426:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0A6287D-F9C0-4934-84CA-22572806AE26",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20000427:*:*:*:*:*:*:*",
              "matchCriteriaId": "0A9C2032-F26A-4D5B-A631-4EA68ABD4FE1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20000815:*:*:*:*:*:*:*",
              "matchCriteriaId": "860DBF31-9655-417A-B2C7-5F389B675FB6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20000825:*:*:*:*:*:*:*",
              "matchCriteriaId": "E72B5243-904B-4E12-BD28-DDF03EEF6B45",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20010610:*:*:*:*:*:*:*",
              "matchCriteriaId": "7FC42DDE-41C9-4DAA-8EB5-CC5D5FFDCCC9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20010812:*:*:*:*:*:*:*",
              "matchCriteriaId": "17457601-F61A-444D-8E33-0FE0ED723F61",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20010922:*:*:*:*:*:*:*",
              "matchCriteriaId": "20EAEC35-E205-4717-826D-F4D1FCA6DC6C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20020710:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA4A13CA-DCB0-4C1F-A3DA-27A36BC116B8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20020730:*:*:*:*:*:*:*",
              "matchCriteriaId": "3D86758B-C34A-4689-9B3A-9CF614D2E4F9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20020803:*:*:*:*:*:*:*",
              "matchCriteriaId": "732DBCCD-B38A-47B7-BD4B-4EE4CF370AF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20020804:*:*:*:*:*:*:*",
              "matchCriteriaId": "9FB916FC-4FB9-48EF-8D46-26C29D35DCD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20020823:*:*:*:*:*:*:*",
              "matchCriteriaId": "EAB26F26-3B1E-44BB-A8D1-FB823C2759B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20020913:*:*:*:*:*:*:*",
              "matchCriteriaId": "5D2148E4-FB12-4613-8F55-1AB364363BFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20021106:*:*:*:*:*:*:*",
              "matchCriteriaId": "C8EFEEB4-07C3-459F-A807-12A21AFD94F9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20030313:*:*:*:*:*:*:*",
              "matchCriteriaId": "30FA69A8-657F-44A0-999D-89EA7E24072E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20030409:*:*:*:*:*:*:*",
              "matchCriteriaId": "B41528DD-A3C0-40D9-9DCC-4C7962337BAA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20030626:*:*:*:*:*:*:*",
              "matchCriteriaId": "274EC529-8C50-44C3-96AE-9C636C9183B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20031005:*:*:*:*:*:*:*",
              "matchCriteriaId": "38A29464-13AF-474E-B0F6-BF65F44B3EE6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20040218:*:*:*:*:*:*:*",
              "matchCriteriaId": "579B9F00-9093-4D4B-9F19-0FBDA141FD31",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20040808:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB017665-6823-407E-AFF3-5A8C1848B3E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20050410:*:*:*:*:*:*:*",
              "matchCriteriaId": "13BE5871-6AB5-4A4B-BD7B-59D7D6161867",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20060517:*:*:*:*:*:*:*",
              "matchCriteriaId": "7E00FD78-FCBF-4D10-AC00-73B6838758B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20060710:*:*:*:*:*:*:*",
              "matchCriteriaId": "162B8DC7-76B5-45E3-8DF3-62C32AB0FB2B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20080303:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7BAA49A-41BA-436B-902C-FCDE8C156C2E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20090417:*:*:*:*:*:*:*",
              "matchCriteriaId": "A8280988-55E3-4A94-93E3-1064A8B54C8E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20090522:*:*:*:*:*:*:*",
              "matchCriteriaId": "A1668326-2B90-4D98-859C-CFDFD7811E13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20100509:*:*:*:*:*:*:*",
              "matchCriteriaId": "620F61ED-B77F-48B7-93EA-7089A9C0BBE9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20100512:*:*:*:*:*:*:*",
              "matchCriteriaId": "C4F081AF-5022-44B4-BBB7-108374DDFADB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20100617:*:*:*:*:*:*:*",
              "matchCriteriaId": "68B361C0-AC14-4386-8AA1-94273A1B3FF1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20100621:*:*:*:*:*:*:*",
              "matchCriteriaId": "ECE40B8D-B3EA-427A-8539-E9F502806279",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20100920:*:*:*:*:*:*:*",
              "matchCriteriaId": "3725C5D4-E464-4E64-BA2E-F6A60F5E4B9C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20111118:*:*:*:*:*:*:*",
              "matchCriteriaId": "75CFA0D4-530C-4B15-B6D8-8D5E92E1A50F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eterna:bozohttpd:20140102:*:*:*:*:*:*:*",
              "matchCriteriaId": "7845A2CA-B83F-479A-B263-9824F13B21BC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:netbsd:netbsd:5.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "730917F8-E1F4-4836-B05A-16B2BA5774DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:netbsd:netbsd:5.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "3407906D-EF23-4812-A597-F0E863DE17B6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:netbsd:netbsd:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C23BD3A0-E5AD-4893-AAAF-E2858B4128CF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:netbsd:netbsd:6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "69CAE756-335E-4E02-83F9-B274D416775C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD, truncates paths when checking .htpasswd restrictions, which allows remote attackers to bypass the HTTP authentication scheme and access restrictions via a long path."
    },
    {
      "lang": "es",
      "value": "El servidor HTTP bozotic (tambi\u00e9n conocido como bozohttpd) anterior a 20140708, utilizado en NetBSD, trunca las rutas cuando compruebe las restricciones .htpasswd, lo que permite a atacantes remotos evadir la esquema de la autenticaci\u00f3n HTTP y acceder a las restricciones a trav\u00e9s de una ruta larga."
    }
  ],
  "id": "CVE-2014-5015",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2014-07-24T14:55:09.583",
  "references": [
    {
      "source": "security@debian.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.asc"
    },
    {
      "source": "security@debian.org",
      "url": "http://seclists.org/oss-sec/2014/q3/180"
    },
    {
      "source": "security@debian.org",
      "tags": [
        "Patch"
      ],
      "url": "http://www.eterna.com.au/bozohttpd/"
    },
    {
      "source": "security@debian.org",
      "url": "http://www.eterna.com.au/bozohttpd/CHANGES"
    },
    {
      "source": "security@debian.org",
      "url": "http://www.osvdb.org/109283"
    },
    {
      "source": "security@debian.org",
      "url": "http://www.securityfocus.com/bid/68752"
    },
    {
      "source": "security@debian.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/94751"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.asc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://seclists.org/oss-sec/2014/q3/180"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.eterna.com.au/bozohttpd/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.eterna.com.au/bozohttpd/CHANGES"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.osvdb.org/109283"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/68752"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/94751"
    }
  ],
  "sourceIdentifier": "security@debian.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…

Loading…