CVE-2014-5015

bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD, truncates paths when checking .htpasswd restrictions, which allows remote attackers to bypass the HTTP authentication scheme and access restrictions via a long path.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.eterna.com.au/bozohttpd/	Patch
http://www.securityfocus.com/bid/68752
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.asc	Vendor Advisory
http://www.osvdb.org/109283
http://seclists.org/oss-sec/2014/q3/180
http://www.eterna.com.au/bozohttpd/CHANGES
https://exchange.xforce.ibmcloud.com/vulnerabilities/94751

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:netbsd:netbsd:6.0:::::::*
	cpe:2.3:o:netbsd:netbsd:5.2:::::::*
	cpe:2.3:a:eterna:bozohttpd:20090417:::::::*
	cpe:2.3:a:eterna:bozohttpd:20080303:::::::*
	cpe:2.3:a:eterna:bozohttpd:20140102:::::::*
	cpe:2.3:a:eterna:bozohttpd:20111118:::::::*
	cpe:2.3:a:eterna:bozohttpd:20100617:::::::*
	cpe:2.3:a:eterna:bozohttpd:20100512:::::::*
	cpe:2.3:a:eterna:bozohttpd:20040808:::::::*
	cpe:2.3:a:eterna:bozohttpd:20040218:::::::*
	cpe:2.3:a:eterna:bozohttpd:20020823:::::::*
	cpe:2.3:o:netbsd:netbsd:5.1:::::::*
	cpe:2.3:a:eterna:bozohttpd:20030313:::::::*
	cpe:2.3:a:eterna:bozohttpd:20000421:::::::*
	cpe:2.3:a:eterna:bozohttpd:20000825:::::::*
	cpe:2.3:a:eterna:bozohttpd:20020803:::::::*
	cpe:2.3:a:eterna:bozohttpd:20020804:::::::*
	cpe:2.3:a:eterna:bozohttpd:20100621:::::::*
	cpe:2.3:a:eterna:bozohttpd:20090522:::::::*
	cpe:2.3:a:eterna:bozohttpd:20020730:::::::*
	cpe:2.3:a:eterna:bozohttpd:20030626:::::::*
	cpe:2.3:a:eterna:bozohttpd:20030409:::::::*
	cpe:2.3:a:eterna:bozohttpd:20100509:::::::*
	cpe:2.3:a:eterna:bozohttpd:20010922:::::::*
	cpe:2.3:a:eterna:bozohttpd:20020710:::::::*
	cpe:2.3:a:eterna:bozohttpd:20000426:::::::*
	cpe:2.3:a:eterna:bozohttpd:20031005:::::::*
	cpe:2.3:a:eterna:bozohttpd:20000427:::::::*
	cpe:2.3:a:eterna:bozohttpd::::::::
	cpe:2.3:a:eterna:bozohttpd:20100920:::::::*
	cpe:2.3:a:eterna:bozohttpd:19990519:::::::*
	cpe:2.3:a:eterna:bozohttpd:20000815:::::::*
	cpe:2.3:o:netbsd:netbsd:6.1:::::::*
	cpe:2.3:a:eterna:bozohttpd:20021106:::::::*
	cpe:2.3:a:eterna:bozohttpd:20060710:::::::*
	cpe:2.3:a:eterna:bozohttpd:20050410:::::::*
	cpe:2.3:a:eterna:bozohttpd:20060517:::::::*
	cpe:2.3:a:eterna:bozohttpd:20010812:::::::*
	cpe:2.3:a:eterna:bozohttpd:20020913:::::::*
	cpe:2.3:a:eterna:bozohttpd:20010610:::::::*

Information

Published : 2014-07-24 07:55

Updated : 2017-08-28 18:35

NVD link : CVE-2014-5015

Mitre link : CVE-2014-5015

JSON object : View

CWE

CWE-264

Permissions, Privileges, and Access Controls

Products Affected

eterna

bozohttpd

netbsd

netbsd

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.eterna.com.au/bozohttpd/", "name": "http://www.eterna.com.au/bozohttpd/", "tags": ["Patch"], "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/bid/68752", "name": "68752", "tags": [], "refsource": "BID"}, {"url": "ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.asc", "name": "NetBSD-SA2014-007", "tags": ["Vendor Advisory"], "refsource": "NETBSD"}, {"url": "http://www.osvdb.org/109283", "name": "109283", "tags": [], "refsource": "OSVDB"}, {"url": "http://seclists.org/oss-sec/2014/q3/180", "name": "[oss-security] 20140718 Re: CVE Request: bozohttpd: basic http authentication bypass", "tags": [], "refsource": "MLIST"}, {"url": "http://www.eterna.com.au/bozohttpd/CHANGES", "name": "http://www.eterna.com.au/bozohttpd/CHANGES", "tags": [], "refsource": "CONFIRM"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/94751", "name": "netbsd-cve20145015-info-disc(94751)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD, truncates paths when checking .htpasswd restrictions, which allows remote attackers to bypass the HTTP authentication scheme and access restrictions via a long path."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-264"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2014-5015", "ASSIGNER": "security@debian.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2014-07-24T14:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:netbsd:netbsd:6.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:netbsd:netbsd:5.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20090417:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20080303:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20140102:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20111118:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20100617:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20100512:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20040808:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20040218:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20020823:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:netbsd:netbsd:5.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20030313:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20000421:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20000825:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20020803:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20020804:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20100621:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20090522:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20020730:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20030626:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20030409:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20100509:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20010922:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20020710:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20000426:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20031005:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20000427:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "20140201"}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20100920:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:19990519:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20000815:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:netbsd:netbsd:6.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20021106:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20060710:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20050410:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20060517:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20010812:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20020913:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:eterna:bozohttpd:20010610:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-08-29T01:35Z"}

5.0 /10