CVE-2014-5015

bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD, truncates paths when checking .htpasswd restrictions, which allows remote attackers to bypass the HTTP authentication scheme and access restrictions via a long path.

Published: Jul 24, 2014
Updated: Apr 13, 2023
CVE: CVE-2014-5015
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-264

Affected Software
References

Software	From	Fixed in
netbsd / netbsd	5.1	5.1.x
netbsd / netbsd	6.0	6.0.x
eterna / bozohttpd	20090417	20090417.x
eterna / bozohttpd	20080303	20080303.x
eterna / bozohttpd	20030313	20030313.x
eterna / bozohttpd	20100617	20100617.x
eterna / bozohttpd	20000421	20000421.x
eterna / bozohttpd	20000825	20000825.x
eterna / bozohttpd	20100512	20100512.x
eterna / bozohttpd	20021106	20021106.x
eterna / bozohttpd	20060710	20060710.x
eterna / bozohttpd	20020803	20020803.x
eterna / bozohttpd	20020804	20020804.x
eterna / bozohttpd	20050410	20050410.x
eterna / bozohttpd	20100621	20100621.x
eterna / bozohttpd	20090522	20090522.x
eterna / bozohttpd	20040808	20040808.x
eterna / bozohttpd	20020730	20020730.x
eterna / bozohttpd	20030626	20030626.x
eterna / bozohttpd	20030409	20030409.x
eterna / bozohttpd	20100509	20100509.x
eterna / bozohttpd	20010922	20010922.x
eterna / bozohttpd	20020710	20020710.x
eterna / bozohttpd	20111118	20111118.x
eterna / bozohttpd	20000426	20000426.x
eterna / bozohttpd	20031005	20031005.x
eterna / bozohttpd	20040218	20040218.x
eterna / bozohttpd	20140102	20140102.x
eterna / bozohttpd	20000427	20000427.x
eterna / bozohttpd	-	20140201.x
eterna / bozohttpd	20060517	20060517.x
eterna / bozohttpd	20010812	20010812.x
eterna / bozohttpd	20020913	20020913.x
eterna / bozohttpd	20100920	20100920.x
eterna / bozohttpd	19990519	19990519.x
eterna / bozohttpd	20010610	20010610.x
netbsd / netbsd	5.2	5.2.x
eterna / bozohttpd	20020823	20020823.x
eterna / bozohttpd	20000815	20000815.x
netbsd / netbsd	6.1	6.1.x

Vulnerability Database

CVE-2014-5015